[zh] Resync VAP reference page

Author: tengqm

content/zh-cn/docs/reference/access-authn-authz/validating-admission-policy.md

@@ -199,7 +199,8 @@ otherwise the failures are ignored.
 否则这些失败将被忽略。
 
 <!-- 
-See [Audit Annotations: validation failures](/docs/reference/labels-annotations-taints/audit-annotations/#validation-policy-admission-k8s-io-validation-failure) for more details about the validation failure audit annotation.
+See [Audit Annotations: validation failures](/docs/reference/labels-annotations-taints/audit-annotations/#validation-policy-admission-k8s-io-validation-failure)
+for more details about the validation failure audit annotation.
 -->
 有关验证失败审计注解的详细信息，
 请参见[审计注解：验证失败](/zh-cn/docs/reference/labels-annotations-taints/audit-annotations/#validation-policy-admission-k8s-io-validation_failure)。
@@ -274,6 +275,7 @@ The parameter resource could be as following:
 
 <!--
 This policy parameter resource limits deployments to a max of 3 replicas.
+
 An admission policy may have multiple bindings. To bind all other environments
 to have a maxReplicas limit of 100, create another ValidatingAdmissionPolicyBinding:
 -->
@@ -321,29 +323,6 @@ parameters.
 多个绑定之间可以在匹配条件存在重叠。系统针对匹配的绑定参数所有组合来评估策略。如果多个绑定与其匹配，
 或者同一个绑定与多个参数匹配，则策略甚至可以被多次评估。
 
-<!--
-Bindings can have overlapping match criteria. The policy is evaluated for each matching binding.
-In the above example, the "nontest" policy binding could instead have been defined as a global policy:
--->
-绑定可以包含相互重叠的匹配条件。策略会针对每个匹配的绑定进行计算。
-在上面的例子中，`nontest` 策略绑定可以被定义为一个全局策略：
-
-```yaml
-apiVersion: admissionregistration.k8s.io/v1alpha1
-kind: ValidatingAdmissionPolicyBinding
-metadata:
-  name: "replicalimit-binding-global"
-spec:
-  policyName: "replicalimit-policy.example.com"
-  validationActions: [Deny]
-  params: "replica-limit-clusterwide.example.com"
-  matchResources:
-    namespaceSelector:
-      matchExpressions:
-      - key: environment
-        operator: Exists
-```
-
 <!--
 The params object representing a parameter resource will not be set if a parameter resource has
 not been bound, so for policies requiring a parameter resource, it can be useful to add a check to
@@ -460,7 +439,7 @@ admitted will be used.
 否则，当 `namespace` 为空且 `paramKind` 为命名空间作用域的资源时，使用被准入请求中指定的 `namespace`。
 
 <!--
-#### Authorization Check
+#### Authorization checks {#authorization-check} 
 
 We introduced the authorization check for parameter resources.
 User is expected to have `read` access to the resources referenced by `paramKind` in
@@ -524,19 +503,28 @@ CEL 表达式可以访问按 CEL 变量来组织的 Admission 请求/响应的
 - 'request' - Attributes of the [admission request](/docs/reference/config-api/apiserver-admission.v1/#admission-k8s-io-v1-AdmissionRequest).
 - 'params' - Parameter resource referred to by the policy binding being evaluated. The value is
   null if `ParamKind` is not specified.
+- `namespaceObject` - The namespace, as a Kubernetes resource, that the incoming object belongs to.
+  The value is null if the incoming object is cluster-scoped.
+-->
+- 'object' - 来自传入请求的对象。对于 DELETE 请求，该值为 null。
+- 'oldObject' - 现有对象。对于 CREATE 请求，该值为 null。
+- 'request' - [准入请求](/zh-cn/docs/reference/config-api/apiserver-admission.v1/#admission-k8s-io-v1-AdmissionRequest)的属性。
+- 'params' - 被计算的策略绑定引用的参数资源。如果未设置 `paramKind`，该值为 null。
+- `namespaceObject` - 作为 Kubernetes 资源的、传输对象所在的名字空间。
+  如果传入对象是集群作用域的，则此值为 null。
+
+<!--
 - `authorizer` - A CEL Authorizer. May be used to perform authorization checks for the principal
   (authenticated user) of the request. See
+  [AuthzSelectors](https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#AuthzSelectors) and
   [Authz](https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz) in the Kubernetes CEL library
   documentation for more details.
 - `authorizer.requestResource` - A shortcut for an authorization check configured with the request
   resource (group, resource, (subresource), namespace, name).
 -->
-- 'object' - 来自传入请求的对象。对于 DELETE 请求，该值为 null。
-- 'oldObject' - 现有对象。对于 CREATE 请求，该值为 null。
-- 'request' - [准入请求](/zh-cn/docs/reference/config-api/apiserver-admission.v1/#admission-k8s-io-v1-AdmissionRequest)的属性。
-- 'params' - 被计算的策略绑定引用的参数资源。如果未设置 `paramKind`，该值为 null。
 - `authorizer` - 一个 CEL 鉴权组件。可以用来为请求的主体（经过身份验证的用户）执行鉴权检查。
-  更多细节可以参考 Kubernetes CEL 库的文档中的 [Authz](https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz)。
+  更多细节可以参考 [AuthzSelectors](https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#AuthzSelectors)
+  和 Kubernetes CEL 库的文档中的 [Authz](https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz)。
 - `authorizer.requestResource` - 针对请求资源（组、资源、（子资源）、命名空间、名称）所配置的鉴权检查的快捷方式。
 
 <!--
@@ -565,9 +553,28 @@ Concatenation on arrays with x-kubernetes-list-type use the semantics of the lis
 
 <!--
 #### Validation expression examples
+
+| Expression                                                                                   | Purpose                                                                           |
+|----------------------------------------------------------------------------------------------| ------------                                                                      |
+| `object.minReplicas <= object.replicas && object.replicas <= object.maxReplicas`             | Validate that the three fields defining replicas are ordered appropriately        |
+| `'Available' in object.stateCounts`                                                          | Validate that an entry with the 'Available' key exists in a map                   |
+| `(size(object.list1) == 0) != (size(object.list2) == 0)`                                     | Validate that one of two lists is non-empty, but not both                         |
+| <code>!('MY_KEY' in object.map1) &#124;&#124; object['MY_KEY'].matches('^[a-zA-Z]*$')</code> | Validate the value of a map for a specific key, if it is in the map               |
+| `object.envars.filter(e, e.name == 'MY_ENV').all(e, e.value.matches('^[a-zA-Z]*$')`          | Validate the 'value' field of a listMap entry where key field 'name' is 'MY_ENV'  |
+| `has(object.expired) && object.created + object.ttl < object.expired`                        | Validate that 'expired' date is after a 'create' date plus a 'ttl' duration       |
+| `object.health.startsWith('ok')`                                                             | Validate a 'health' string field has the prefix 'ok'                              |
+| `object.widgets.exists(w, w.key == 'x' && w.foo < 10)`                                       | Validate that the 'foo' property of a listMap item with a key 'x' is less than 10 |
+| `type(object) == string ? object == '100%' : object == 1000`                                 | Validate an int-or-string field for both the int and string cases             |
+| `object.metadata.name.startsWith(object.prefix)`                                             | Validate that an object's name has the prefix of another field value              |
+| `object.set1.all(e, !(e in object.set2))`                                                    | Validate that two listSets are disjoint                                           |
+| `size(object.names) == size(object.details) && object.names.all(n, n in object.details)`     | Validate the 'details' map is keyed by the items in the 'names' listSet           |
+| `size(object.clusters.filter(c, c.name == object.primary)) == 1`                             | Validate that the 'primary' property has one and only one occurrence in the 'clusters' listMap           |
+
+
 -->
 #### 检查表达式示例
 
+
 | 表达式                                                                                        | 目的                                                                     |
 | --------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ |
 | `object.minReplicas <= object.replicas && object.replicas <= object.maxReplicas`              | 检查定义副本的三个字段是否大小关系正确                                   |