sync authentication kubelet-authn-authz validating-admission-policy

Update validating-admission-policy.md

Update kubelet-authn-authz.md

Update validating-admission-policy.md

Update validating-admission-policy.md

Update validating-admission-policy.md

Author: asa3311

content/zh-cn/docs/reference/access-authn-authz/authentication.md

@@ -743,7 +743,9 @@ jwt:
       # 1.  If username.expression uses 'claims.email', then 'claims.email_verified' must be used in
       #     username.expression or extra[*].valueExpression or claimValidationRules[*].expression.
       #     An example claim validation rule expression that matches the validation automatically
-      #     applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true)'.
+      #     applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true) == true'.
+      #     By explicitly comparing the value to true, we let type-checking see the result will be a boolean, and
+      #     to make sure a non-boolean email_verified claim will be caught at runtime.
       # 2.  If the username asserted based on username.expression is the empty string, the authentication
       #     request will fail.
       expression: 'claims.username + ":external-user"'
@@ -848,7 +850,9 @@ jwt:
       # 1.  如果 username.expression 使用 “claims.email”，则必须在 username.expression
       #     或 extra[*].valueExpression 或 ClaimValidationRules[*].expression 中使用 “claims.email_verified”。
       #     与 username.claim 设置为 “email” 时自动应用的验证相匹配的示例声明验证规则表达式是
-      #     “claims.?email_verified.orValue(true)”。
+      #     “claims.?email_verified.orValue(true) == true”。
+      #     通过显式地将该值与 true 进行比较，可以让类型检查器识别出结果是布尔值，
+      #     并确保在运行时能够识别出任何非布尔类型的 email_verified 声明。
       # 2.  如果根据 username.expression 断言的用户名是空字符串，则身份认证请求将失败。
       expression: 'claims.username + ":external-user"'
     # groups 代表 groups 属性的一个选项。

content/zh-cn/docs/reference/access-authn-authz/kubelet-authn-authz.md

@@ -208,7 +208,6 @@ Kubelet API   | resource | subresource
 /stats/\*     | nodes    | stats
 /metrics/\*   | nodes    | metrics
 /logs/\*      | nodes    | log
-/spec/\*      | nodes    | spec
 /pods         | nodes    | pods, proxy
 /runningPods/ | nodes    | pods, proxy
 /healthz      | nodes    | healthz, proxy
@@ -220,7 +219,6 @@ kubelet API   | 资源      | 子资源
 /stats/\*     | nodes    | stats
 /metrics/\*   | nodes    | metrics
 /logs/\*      | nodes    | log
-/spec/\*      | nodes    | spec
 /pods         | nodes    | pods, proxy
 /runningPods/ | nodes    | pods, proxy
 /healthz      | nodes    | healthz, proxy
@@ -238,8 +236,16 @@ flags passed to the API server is authorized for the following attributes:
 * verb=\*, resource=nodes, subresource=proxy
 * verb=\*, resource=nodes, subresource=stats
 * verb=\*, resource=nodes, subresource=log
-* verb=\*, resource=nodes, subresource=spec
 * verb=\*, resource=nodes, subresource=metrics
 * verb=\*, resource=nodes, subresource=configz
 * verb=\*, resource=nodes, subresource=healthz
 * verb=\*, resource=nodes, subresource=pods
+
+<!--
+If [RBAC authorization](/docs/reference/access-authn-authz/rbac/) is used,
+enabling this gate also ensure that the builtin `system:kubelet-api-admin` ClusterRole
+is updated with permissions to access all the above mentioned subresources.
+-->
+如果使用的是 [RBAC 鉴权](/zh-cn/docs/reference/access-authn-authz/rbac/)，
+那么启用此特性门控时，系统还会自动更新内置的 `system:kubelet-api-admin ClusterRole`，
+确保其具备访问上述所有子资源的权限。