Merge pull request #42274 from asa3311/sync-zh-36

[zh] sync dual-stack security-context

content/zh-cn/docs/concepts/services-networking/dual-stack.md

@@ -211,12 +211,11 @@ families for dual-stack, you can choose the address families by setting an optio
 
 {{< note >}}
 <!--
-The `.spec.ipFamilies` field is immutable because the `.spec.ClusterIP` cannot be reallocated on a
-Service that already exists. If you want to change `.spec.ipFamilies`, delete and recreate the
-Service.
+The `.spec.ipFamilies` field is conditionally mutable: you can add or remove a secondary
+IP address family, but you cannot change the primary IP address family of an existing Service.
 -->
-`.spec.ipFamilies` 字段是不可变的，因为系统无法为已经存在的服务重新分配
-`.spec.ClusterIP`。如果你想改变 `.spec.ipFamilies`，则需要删除并重新创建服务。
+`.spec.ipFamilies` 字段修改是有条件的：你可以添加或删除第二个 IP 地址族，
+但你不能更改现有服务的主要 IP 地址族。
 {{< /note >}}
 
 <!--
@@ -269,7 +268,7 @@ These examples demonstrate the behavior of various dual-stack Service configurat
    和[无头服务](/zh-cn/docs/concepts/services-networking/service/#headless-services)的行为方式
    与此相同。）
 
-   {{< codenew file="service/networking/dual-stack-default-svc.yaml" >}}
+   {{% codenew file="service/networking/dual-stack-default-svc.yaml" %}}
 
 <!--
 1. This Service specification explicitly defines `PreferDualStack` in `.spec.ipFamilyPolicy`. When
@@ -299,7 +298,7 @@ These examples demonstrate the behavior of various dual-stack Service configurat
    * 对于启用了双协议栈的集群，将 `.spec.ipFamilyPolicy` 设置为
      `RequireDualStack` 时，其行为与 `PreferDualStack` 相同。
 
-   {{< codenew file="service/networking/dual-stack-preferred-svc.yaml" >}}
+   {{% codenew file="service/networking/dual-stack-preferred-svc.yaml" %}}
 
 <!--
 1. This Service specification explicitly defines `IPv6` and `IPv4` in `.spec.ipFamilies` as well
@@ -313,7 +312,7 @@ These examples demonstrate the behavior of various dual-stack Service configurat
    `.spec.ClusterIP` 被设置成 IPv6 地址，因为它是 `.spec.ClusterIPs` 数组中的第一个元素，
    覆盖其默认值。
 
-   {{< codenew file="service/networking/dual-stack-preferred-ipfamilies-svc.yaml" >}}
+   {{% codenew file="service/networking/dual-stack-preferred-ipfamilies-svc.yaml" %}}
 
 <!--
 #### Dual-stack defaults on existing Services
@@ -338,7 +337,7 @@ dual-stack.)
    `.spec.ipFamilyPolicy` 为 `SingleStack` 并设置 `.spec.ipFamilies`
    为服务的当前地址族。
 
-   {{< codenew file="service/networking/dual-stack-default-svc.yaml" >}}
+   {{% codenew file="service/networking/dual-stack-default-svc.yaml" %}}
 
    <!--
    You can validate this behavior by using kubectl to inspect an existing service.
@@ -388,7 +387,7 @@ dual-stack.)
    并设置 `.spec.ipFamilies` 为第一个服务集群 IP 范围的地址族（通过配置 kube-apiserver 的
    `--service-cluster-ip-range` 参数），即使 `.spec.ClusterIP` 的设置值为 `None` 也如此。
 
-   {{< codenew file="service/networking/dual-stack-default-svc.yaml" >}}
+   {{% codenew file="service/networking/dual-stack-default-svc.yaml" %}}
 
    <!--
    You can validate this behavior by using kubectl to inspect an existing headless service with selectors.

content/zh-cn/docs/tasks/configure-pod-container/security-context.md

@@ -108,7 +108,7 @@ Here is a configuration file for a Pod that has a `securityContext` and an `empt
 对象。你为 Pod 所设置的安全性配置会应用到 Pod 中所有 Container 上。
 下面是一个 Pod 的配置文件，该 Pod 定义了 `securityContext` 和一个 `emptyDir` 卷：
 
-{{< codenew file="pods/security/security-context.yaml" >}}
+{{% codenew file="pods/security/security-context.yaml" %}}
 
 <!--
 In the configuration file, the `runAsUser` field specifies that for any Containers in
@@ -371,7 +371,7 @@ Pod 层面设置的内容发生重叠时，会重写 Pod 层面的设置。Conta
 下面是一个 Pod 的配置文件，其中包含一个 Container。Pod 和 Container 都有
 `securityContext` 字段：
 
-{{< codenew file="pods/security/security-context-2.yaml" >}}
+{{% codenew file="pods/security/security-context-2.yaml" %}}
 
 <!--
 Create the Pod:
@@ -454,7 +454,7 @@ Here is configuration file that does not add or remove any Container capabilitie
 首先，看一下不包含 `capabilities` 字段时候会发生什么。
 下面是一个配置文件，其中没有添加或移除容器的权能：
 
-{{< codenew file="pods/security/security-context-3.yaml" >}}
+{{% codenew file="pods/security/security-context-3.yaml" %}}
 
 <!--
 Create the Pod:
@@ -546,7 +546,7 @@ adds the `CAP_NET_ADMIN` and `CAP_SYS_TIME` capabilities:
 下面是一个 Pod 的配置，其中运行一个容器。配置为容器添加 `CAP_NET_ADMIN` 和
 `CAP_SYS_TIME` 权能：
 
-{{< codenew file="pods/security/security-context-4.yaml" >}}
+{{% codenew file="pods/security/security-context-4.yaml" %}}
 
 <!--
 Create the Pod:
@@ -853,7 +853,7 @@ kubectl delete pod security-context-demo-4
 <!--
 * [PodSecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritycontext-v1-core)
 * [SecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core)
-* [Tuning Docker with the newest security enhancements](https://github.com/containerd/containerd/blob/main/docs/cri/config.md)
+* [CRI Plugin Config Guide](https://github.com/containerd/containerd/blob/main/docs/cri/config.md)
 * [Security Contexts design document](https://git.k8s.io/design-proposals-archive/auth/security_context.md)
 * [Ownership Management design document](https://git.k8s.io/design-proposals-archive/storage/volume-ownership-management.md)
 * [PodSecurity Admission](/docs/concepts/security/pod-security-admission/)
@@ -865,7 +865,7 @@ kubectl delete pod security-context-demo-4
 -->
 * [PodSecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritycontext-v1-core) API 定义
 * [SecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core) API 定义
-* [使用最新的安全性增强来调优 Docker（英文）](https://github.com/containerd/containerd/blob/main/docs/cri/config.md)
+* [CRI 插件配置指南](https://github.com/containerd/containerd/blob/main/docs/cri/config.md)
 * [安全上下文的设计文档（英文）](https://github.com/kubernetes/design-proposals-archive/blob/main/auth/security_context.md)
 * [属主管理的设计文档（英文）](https://github.com/kubernetes/design-proposals-archive/blob/main/storage/volume-ownership-management.md)
 * [Pod 安全性准入](/zh-cn/docs/concepts/security/pod-security-admission/)