From a7195c38b4a0b5032869f5083e4a65a397ea93b3 Mon Sep 17 00:00:00 2001 From: Sunil Singh Date: Tue, 11 Jun 2024 09:36:52 -0700 Subject: [PATCH 01/29] Initial draft, basic outline of SLO configuration through Rancher UI in Okta SAML page. Updating to other SAML pages currently after UX PR was finalized. Signed-off-by: Sunil Singh --- .../configure-keycloak-saml.md | 2 ++ .../authentication-config/configure-okta-saml.md | 16 ++++++++++++++-- .../configure-pingidentity.md | 2 ++ 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md index 4e3d9c2713c4..0aebd63ad670 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md @@ -192,3 +192,5 @@ Try configuring and saving keycloak as your SAML provider and then accessing the * Check your Keycloak log. * If the log displays `request validation failed: org.keycloak.common.VerificationException: SigAlg was null`, set `Client Signature Required` to `OFF` in your Keycloak client. + +## Configuring SAML Single Logout (SLO) diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md index d53a871ad0b4..2d22a751d2b0 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md @@ -51,7 +51,6 @@ You can integrate Okta with Rancher, so that authenticated users can access Ranc ::: - 1. After you complete the **Configure Okta Account** form, click **Enable**. Rancher redirects you to the IdP login page. Enter credentials that authenticate with Okta IdP to validate your Rancher Okta configuration. @@ -108,4 +107,17 @@ The OpenLDAP service account is used for all searches. Rancher users will see us 1. Click **Okta** or, if SAML is already configured, **Edit Config** 1. Under **User and Group Search**, check **Configure an OpenLDAP server** -If you experience issues when you test the connection to the OpenLDAP server, ensure that you entered the credentials for the service account and configured the search base correctly. Inspecting the Rancher logs can help pinpoint the root cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) for more information. \ No newline at end of file +If you experience issues when you test the connection to the OpenLDAP server, ensure that you entered the credentials for the service account and configured the search base correctly. Inspecting the Rancher logs can help pinpoint the root cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) for more information. + +## Configuring SAML Single Logout (SLO) + +1. Sign into Rancher using a local user assigned the [administrator](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/manage-role-based-access-control-rbac/global-permissions) role (i.e., the _local principal_). +1. In the top left corner, click **☰ > Users & Authentication**. +1. In the left navigation menu, click **Auth Provider**. +1. Under the section **Configure Single Logout (SLO)**, choose the appropriate SLO setting as described below: + + | Setting | Description | + | ------------------------- | ----------------------------------------------------------------------------- | + | Only log out of Rancher | Choosing this option will only logout the Rancher application and not external authentication providers. | + | Log out of Okta (including Rancher and all other application registered with the provider) | Choosing this option will logout Rancher and external authentication providers along with any registered application linked to the provider. | + | Allow the user to choose in an extra step | Choosing this option presents users with a choice of logout method as described above. | diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md index e45d179881e5..db418a7f9d7d 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md @@ -64,3 +64,5 @@ Note that these URLs will not return valid data until the authentication configu - The group drop-down shows only the groups that you are a member of. You will not be able to add groups that you are not a member of. ::: + +## Configuring SAML Single Logout (SLO) From fbf440f0fd0a9f12e5868cafdb8779bf19ac74b3 Mon Sep 17 00:00:00 2001 From: Venkata Krishna Rohit Sakala Date: Fri, 13 Sep 2024 11:55:08 -0700 Subject: [PATCH 02/29] Add docs for the new field RefreshInterval --- .../helm-charts-in-rancher.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index 49253b610fc5..586c45572861 100644 --- a/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -194,6 +194,19 @@ Non-Airgap Rancher installations upon refresh will reflect any chart repository Airgap installations where Rancher is configured to use the packaged copy of Helm system charts ([`useBundledSystemChart=true`](../../../getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install/install-rancher-ha.md#helm-chart-options-for-air-gap-installations)) will only refer to the [system-chart](https://github.com/rancher/system-charts) repository that comes bundled and will not be able to be refreshed or synced. +#### Refresh Interval + +1. Rancher v2.10.0 adds the `refreshInterval` field to the `ClusterRepo` CRD. The default value is 3600 seconds, meaning that Rancher syncs each Helm repository every 3600 seconds. + +To modify the refresh interval of a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to modify, and click **⋮ > Edit YAML**. +1. Set the **refreshInterval** field under **Spec** to the desired value in seconds. +1. Click **Save**. + ## Deploy and Upgrade Charts To install and deploy a chart: From f8ce43ffa6c8a11a23a5c3e77d699797dca9e4e0 Mon Sep 17 00:00:00 2001 From: Billy Tat Date: Tue, 29 Oct 2024 14:13:24 -0700 Subject: [PATCH 03/29] Apply fbf440f0 (Add docs for the new field RefreshInterval) to zh/en 2.10 docs --- .../helm-charts-in-rancher.md | 6 +-- .../helm-charts-in-rancher.md | 40 +++++++++++++++++++ .../helm-charts-in-rancher.md | 15 ++++++- 3 files changed, 57 insertions(+), 4 deletions(-) diff --git a/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index 586c45572861..62b7ed54c6a2 100644 --- a/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -194,9 +194,9 @@ Non-Airgap Rancher installations upon refresh will reflect any chart repository Airgap installations where Rancher is configured to use the packaged copy of Helm system charts ([`useBundledSystemChart=true`](../../../getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install/install-rancher-ha.md#helm-chart-options-for-air-gap-installations)) will only refer to the [system-chart](https://github.com/rancher/system-charts) repository that comes bundled and will not be able to be refreshed or synced. -#### Refresh Interval +#### Refresh Interval -1. Rancher v2.10.0 adds the `refreshInterval` field to the `ClusterRepo` CRD. The default value is 3600 seconds, meaning that Rancher syncs each Helm repository every 3600 seconds. +Rancher v2.10.0 adds the `refreshInterval` field to the `ClusterRepo` CRD. The default value is 3600 seconds, meaning that Rancher syncs each Helm repository every 3600 seconds. To modify the refresh interval of a chart repository: @@ -214,7 +214,7 @@ To install and deploy a chart: 1. Click **☰ > Cluster Management**. 1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. 1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Charts**. -1. Select a chart, and click **Install**. +1. Select a chart, and click **Install**. Rancher and Partner charts may have extra configurations available through custom pages or questions.yaml files. However, all chart installations can modify the values.yaml and other basic settings. After you click **Install**, a Helm operation job is deployed, and the console for the job is displayed. diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index 48ecc783bee5..b218a4df82bf 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -161,10 +161,50 @@ spec: ::: +### Add Custom OCI Chart Repositories + +:::caution + +This feature is currently experimental and is not officially supported in Rancher. + +::: + +Helm v3 introduced storing Helm charts as [Open Container Initiative (OCI)](https://opencontainers.org/about/overview/) artifacts in container registries. With Rancher v2.9.0, you can add [OCI-based Helm chart repositories](https://helm.sh/docs/topics/registries/) alongside HTTP-based and Git-based repositories. This means you can deploy apps that are stored as OCI artifacts. For more information, see [Using OCI Helm Chart Repositories](./oci-repositories.md). + ### Helm 兼容性 仅支持 Helm 3 兼容 Chart 。 +### Refresh Chart Repositories + +The **Refresh** button can be used to sync changes from selected Helm chart repositories on the **Repositories** page. + +To refresh a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Use the toggle next to the **State** field to select all repositories, or toggle specified chart repositories to sync changes. +1. Click **Refresh**. +1. The **⋮** at the end of each chart repository row also includes a **Refresh** option, which can be clicked to refresh the respective repository. + +Non-Airgap Rancher installations upon refresh will reflect any chart repository changes immediately and you will see the **State** field for updated repositories move from `In Progress` to `Active` once the action is completed. + +Airgap installations where Rancher is configured to use the packaged copy of Helm system charts ([`useBundledSystemChart=true`](../../../getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install/install-rancher-ha.md#helm-chart-options-for-air-gap-installations)) will only refer to the [system-chart](https://github.com/rancher/system-charts) repository that comes bundled and will not be able to be refreshed or synced. + +#### Refresh Interval + +Rancher v2.10.0 adds the `refreshInterval` field to the `ClusterRepo` CRD. The default value is 3600 seconds, meaning that Rancher syncs each Helm repository every 3600 seconds. + +To modify the refresh interval of a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to modify, and click **⋮ > Edit YAML**. +1. Set the **refreshInterval** field under **Spec** to the desired value in seconds. +1. Click **Save**. + ### 部署和升级 Chart 安装和部署 chart: diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index 84ae382badbb..f3e6b10b5731 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -194,6 +194,19 @@ Non-Airgap Rancher installations upon refresh will reflect any chart repository Airgap installations where Rancher is configured to use the packaged copy of Helm system charts ([`useBundledSystemChart=true`](../../../getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install/install-rancher-ha.md#helm-chart-options-for-air-gap-installations)) will only refer to the [system-chart](https://github.com/rancher/system-charts) repository that comes bundled and will not be able to be refreshed or synced. +#### Refresh Interval + +Rancher v2.10.0 adds the `refreshInterval` field to the `ClusterRepo` CRD. The default value is 3600 seconds, meaning that Rancher syncs each Helm repository every 3600 seconds. + +To modify the refresh interval of a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to modify, and click **⋮ > Edit YAML**. +1. Set the **refreshInterval** field under **Spec** to the desired value in seconds. +1. Click **Save**. + ## Deploy and Upgrade Charts To install and deploy a chart: @@ -201,7 +214,7 @@ To install and deploy a chart: 1. Click **☰ > Cluster Management**. 1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. 1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Charts**. -1. Select a chart, and click **Install**. +1. Select a chart, and click **Install**. Rancher and Partner charts may have extra configurations available through custom pages or questions.yaml files. However, all chart installations can modify the values.yaml and other basic settings. After you click **Install**, a Helm operation job is deployed, and the console for the job is displayed. From 954b9fe73e6984c53308fb20cd97a0c82aec3f53 Mon Sep 17 00:00:00 2001 From: Venkata Krishna Rohit Sakala Date: Fri, 13 Sep 2024 11:14:55 -0700 Subject: [PATCH 04/29] Add docs about enable/disable functionality in clusterrepo --- .../helm-charts-in-rancher.md | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index 49253b610fc5..d832455eba85 100644 --- a/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -194,6 +194,29 @@ Non-Airgap Rancher installations upon refresh will reflect any chart repository Airgap installations where Rancher is configured to use the packaged copy of Helm system charts ([`useBundledSystemChart=true`](../../../getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install/install-rancher-ha.md#helm-chart-options-for-air-gap-installations)) will only refer to the [system-chart](https://github.com/rancher/system-charts) repository that comes bundled and will not be able to be refreshed or synced. +### Enable/Disable Helm Chart Repositories + +Rancher v2.10.0 adds the ability to enable and disable Helm repositories. Helm repositories are enabled by default. + +To disable a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to disable, and click **⋮ > Edit YAML**. +1. Set the **Enabled** field under **Spec** to **false**. +1. Click **Save**. +1. When you disable a repository, updates are disabled and new changes to the clusterRepo are not applied. + +To enable a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to disable, and click **⋮ > Edit YAML**. +1. Set the **Enabled** field under **Spec** to **true**. +1. Click **Save**. + ## Deploy and Upgrade Charts To install and deploy a chart: From 4ccbbdf8b66a7c3c35e67d21672922c003af637c Mon Sep 17 00:00:00 2001 From: Billy Tat Date: Tue, 29 Oct 2024 14:28:56 -0700 Subject: [PATCH 05/29] Apply 954b9fe7 (Add docs about enable/disable functionality in clusterrepo) zh/en 2.10 docs --- .../helm-charts-in-rancher.md | 2 +- .../helm-charts-in-rancher.md | 23 +++++++++++++++++ .../helm-charts-in-rancher.md | 25 ++++++++++++++++++- 3 files changed, 48 insertions(+), 2 deletions(-) diff --git a/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index d832455eba85..58bd62b889fb 100644 --- a/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -224,7 +224,7 @@ To install and deploy a chart: 1. Click **☰ > Cluster Management**. 1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. 1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Charts**. -1. Select a chart, and click **Install**. +1. Select a chart, and click **Install**. Rancher and Partner charts may have extra configurations available through custom pages or questions.yaml files. However, all chart installations can modify the values.yaml and other basic settings. After you click **Install**, a Helm operation job is deployed, and the console for the job is displayed. diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index 48ecc783bee5..c9d475c35031 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -165,6 +165,29 @@ spec: 仅支持 Helm 3 兼容 Chart 。 +### Enable/Disable Helm Chart Repositories + +Rancher v2.10.0 adds the ability to enable and disable Helm repositories. Helm repositories are enabled by default. + +To disable a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to disable, and click **⋮ > Edit YAML**. +1. Set the **Enabled** field under **Spec** to **false**. +1. Click **Save**. +1. When you disable a repository, updates are disabled and new changes to the clusterRepo are not applied. + +To enable a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to disable, and click **⋮ > Edit YAML**. +1. Set the **Enabled** field under **Spec** to **true**. +1. Click **Save**. + ### 部署和升级 Chart 安装和部署 chart: diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index 84ae382badbb..4fbabf98051b 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -194,6 +194,29 @@ Non-Airgap Rancher installations upon refresh will reflect any chart repository Airgap installations where Rancher is configured to use the packaged copy of Helm system charts ([`useBundledSystemChart=true`](../../../getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install/install-rancher-ha.md#helm-chart-options-for-air-gap-installations)) will only refer to the [system-chart](https://github.com/rancher/system-charts) repository that comes bundled and will not be able to be refreshed or synced. +### Enable/Disable Helm Chart Repositories + +Rancher v2.10.0 adds the ability to enable and disable Helm repositories. Helm repositories are enabled by default. + +To disable a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to disable, and click **⋮ > Edit YAML**. +1. Set the **Enabled** field under **Spec** to **false**. +1. Click **Save**. +1. When you disable a repository, updates are disabled and new changes to the clusterRepo are not applied. + +To enable a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to disable, and click **⋮ > Edit YAML**. +1. Set the **Enabled** field under **Spec** to **true**. +1. Click **Save**. + ## Deploy and Upgrade Charts To install and deploy a chart: @@ -201,7 +224,7 @@ To install and deploy a chart: 1. Click **☰ > Cluster Management**. 1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. 1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Charts**. -1. Select a chart, and click **Install**. +1. Select a chart, and click **Install**. Rancher and Partner charts may have extra configurations available through custom pages or questions.yaml files. However, all chart installations can modify the values.yaml and other basic settings. After you click **Install**, a Helm operation job is deployed, and the console for the job is displayed. From 9c3755a73a31cb3f40328adb4cd1358cb88be8a1 Mon Sep 17 00:00:00 2001 From: Venkata Krishna Rohit Sakala Date: Mon, 7 Oct 2024 11:27:20 -0700 Subject: [PATCH 06/29] Remove OPA Gatekeeper docs OPA Gatekeeper is no longer available from 2.10 Rancher. So removing the docs related to it. --- .../integrations-in-rancher/opa-gatekeeper.md | 117 ------------------ .../reference-guides/rancher-cluster-tools.md | 6 - sidebars.js | 1 - 3 files changed, 124 deletions(-) delete mode 100644 docs/integrations-in-rancher/opa-gatekeeper.md diff --git a/docs/integrations-in-rancher/opa-gatekeeper.md b/docs/integrations-in-rancher/opa-gatekeeper.md deleted file mode 100644 index cea9732b36cd..000000000000 --- a/docs/integrations-in-rancher/opa-gatekeeper.md +++ /dev/null @@ -1,117 +0,0 @@ ---- -title: OPA Gatekeeper ---- - - - - - - - -To ensure consistency and compliance, every organization needs the ability to define and enforce policies in its environment in an automated way. [OPA (Open Policy Agent)](https://www.openpolicyagent.org/) is a policy engine that facilitates policy-based control for cloud native environments. Rancher provides the ability to enable OPA Gatekeeper in Kubernetes clusters, and also installs a couple of built-in policy definitions, which are also called constraint templates. - -OPA provides a high-level declarative language that lets you specify policy as code and ability to extend simple APIs to offload policy decision-making. - -[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is a project that provides integration between OPA and Kubernetes. OPA Gatekeeper provides: - -- An extensible, parameterized policy library. -- Native Kubernetes CRDs for instantiating the policy library, also called “constraints." -- Native Kubernetes CRDs for extending the policy library, also called "constraint templates." -- Audit functionality. - -To read more about OPA, please refer to the [official documentation.](https://www.openpolicyagent.org/docs/latest/) - -## How the OPA Gatekeeper Integration Works - -Kubernetes provides the ability to extend API server functionality via admission controller webhooks, which are invoked whenever a resource is created, updated or deleted. Gatekeeper is installed as a validating webhook and enforces policies defined by Kubernetes custom resource definitions. In addition to the admission control usage, Gatekeeper provides the capability to audit existing resources in Kubernetes clusters and mark current violations of enabled policies. - -OPA Gatekeeper is made available via Rancher's Helm system chart, and it is installed in a namespace named `gatekeeper-system.` - -## Enabling OPA Gatekeeper in a Cluster - -:::note - -In Rancher v2.5, the OPA Gatekeeper application was improved. The Rancher v2.4 feature can't be upgraded to the new version in Rancher v2.5. If you installed OPA Gatekeeper in Rancher v2.4, you will need to uninstall OPA Gatekeeper and its CRDs from the old UI, then reinstall it in Rancher v2.5. To uninstall the CRDs run the following command in the kubectl console `kubectl delete crd configs.config.gatekeeper.sh constrainttemplates.templates.gatekeeper.sh`. - -::: - -:::note Prerequisite: - -Only administrators and cluster owners can enable OPA Gatekeeper. - -::: - -The OPA Gatekeeper Helm chart can be installed from **Apps**. - -### Enabling OPA Gatekeeper - -1. In the upper left corner, click **☰ > Cluster Management**. -1. In the **Clusters** page, go to the cluster where you want to enable OPA Gatekeeper and click **Explore**. -1. In the left navigation bar, click **Apps**. -1. Click **Charts** and click **OPA Gatekeeper**. -1. Click **Install**. - -**Result:** OPA Gatekeeper is deployed in your Kubernetes cluster. - -## Constraint Templates - -[Constraint templates](https://github.com/open-policy-agent/gatekeeper#constraint-templates) are Kubernetes custom resources that define the schema and Rego logic of the OPA policy to be applied by Gatekeeper. For more information on the Rego policy language, refer to the [official documentation.](https://www.openpolicyagent.org/docs/latest/policy-language/) - -When OPA Gatekeeper is enabled, Rancher installs some templates by default. - -To list the constraint templates installed in the cluster, go to the left side menu under OPA Gatekeeper and click on **Templates**. - -Rancher also provides the ability to create your own constraint templates by importing YAML definitions. - -## Creating and Configuring Constraints - -[Constraints](https://github.com/open-policy-agent/gatekeeper#constraints) are Kubernetes custom resources that define the scope of objects to which a specific constraint template applies to. The complete policy is defined by constraint templates and constraints together. - -:::note Prerequisite: - -OPA Gatekeeper must be enabled in the cluster. - -::: - -To list the constraints installed, go to the left side menu under OPA Gatekeeper, and click on **Constraints**. - -New constraints can be created from a constraint template. - -Rancher provides the ability to create a constraint by using a convenient form that lets you input the various constraint fields. - -The **Edit as yaml** option is also available to configure the the constraint's yaml definition. - -### Exempting Rancher's System Namespaces from Constraints - -When a constraint is created, ensure that it does not apply to any Rancher or Kubernetes system namespaces. If the system namespaces are not excluded, then it is possible to see many resources under them marked as violations of the constraint. - -To limit the scope of the constraint only to user namespaces, always specify these namespaces under the **Match** field of the constraint. - -Also, the constraint may interfere with other Rancher functionality and deny system workloads from being deployed. To avoid this, exclude all Rancher-specific namespaces from your constraints. - -## Enforcing Constraints in your Cluster - -When the **Enforcement Action** is **Deny,** the constraint is immediately enabled and will deny any requests that violate the policy defined. By default, the enforcement value is **Deny**. - -When the **Enforcement Action** is **Dryrun,** then any resources that violate the policy are only recorded under the constraint's status field. - -To enforce constraints, create a constraint using the form. In the **Enforcement Action** field, choose **Deny**. - -## Audit and Violations in your Cluster - -OPA Gatekeeper runs a periodic audit to check if any existing resource violates any enforced constraint. The audit-interval (default 300s) can be configured while installing Gatekeeper. - -On the Gatekeeper page, any violations of the defined constraints are listed. - -Also under **Constraints,** the number of violations of the constraint can be found. - -The detail view of each constraint lists information about the resource that violated the constraint. - -## Disabling Gatekeeper - -1. Navigate to the cluster's Dashboard view -1. On the left side menu, expand the cluster menu and click on **OPA Gatekeeper**. -1. Click the **⋮ > Disable**. - -**Result:** Upon disabling OPA Gatekeeper, all constraint templates and constraints will also be deleted. - diff --git a/docs/reference-guides/rancher-cluster-tools.md b/docs/reference-guides/rancher-cluster-tools.md index 4607ae590353..ad46fbdd9d25 100644 --- a/docs/reference-guides/rancher-cluster-tools.md +++ b/docs/reference-guides/rancher-cluster-tools.md @@ -42,12 +42,6 @@ Rancher's integration with Istio was improved in Rancher v2.5. For more information, refer to the Istio documentation [here.](../integrations-in-rancher/istio/istio.md) -## OPA Gatekeeper - - - -[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is an open-source project that provides integration between OPA and Kubernetes to provide policy control via admission controller webhooks. For details on how to enable Gatekeeper in Rancher, refer to the [OPA Gatekeeper section.](../integrations-in-rancher/opa-gatekeeper.md) - ## CIS Scans Rancher can run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark. diff --git a/sidebars.js b/sidebars.js index b5766e2fd9a3..12a6e77233ef 100644 --- a/sidebars.js +++ b/sidebars.js @@ -1292,7 +1292,6 @@ const sidebars = { "integrations-in-rancher/monitoring-and-alerting/promql-expressions", ] }, - "integrations-in-rancher/opa-gatekeeper", "integrations-in-rancher/rancher-extensions", ] }, From e12d7b2f11e6c481f04811ad72363dc28d0f3d1d Mon Sep 17 00:00:00 2001 From: Billy Tat Date: Tue, 29 Oct 2024 14:33:18 -0700 Subject: [PATCH 07/29] Remove other OPA Gatekeeper refs --- .../pod-security-standards.md | 2 +- .../new-user-guides/manage-clusters/manage-clusters.md | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md index 7b55b963fda3..5e8f2ee3b584 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md @@ -13,7 +13,7 @@ PSS define security levels for workloads. PSAs describe requirements for pod sec ## Upgrade to Pod Security Standards (PSS) -Ensure that you migrate all PSPs to another workload security mechanism. This includes mapping your current PSPs to Pod Security Standards for enforcement with the [PSA controller](https://kubernetes.io/docs/concepts/security/pod-security-admission/). If the PSA controller won't meet all of your organization's needs, we recommend that you use a policy engine, such as [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper), [Kubewarden](https://www.kubewarden.io/), [Kyverno](https://kyverno.io/), or [NeuVector](https://neuvector.com/). Refer to the documentation of your policy engine of choice for more information on how to migrate from PSPs. +Ensure that you migrate all PSPs to another workload security mechanism. This includes mapping your current PSPs to Pod Security Standards for enforcement with the [PSA controller](https://kubernetes.io/docs/concepts/security/pod-security-admission/). If the PSA controller won't meet all of your organization's needs, we recommend that you use a policy engine, such as [Kubewarden](https://www.kubewarden.io/), [Kyverno](https://kyverno.io/), or [NeuVector](https://neuvector.com/). Refer to the documentation of your policy engine of choice for more information on how to migrate from PSPs. :::caution You must add your new policy enforcement mechanisms _before_ you remove the PodSecurityPolicy objects. If you don't, you may create an opportunity for privilege escalation attacks within the cluster. diff --git a/docs/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md b/docs/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md index eafa50faff9d..a694c2f77c2c 100644 --- a/docs/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md +++ b/docs/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md @@ -31,6 +31,5 @@ Rancher contains a variety of tools that aren't included in Kubernetes to assist - Logging - Monitoring - Istio Service Mesh -- OPA Gatekeeper Tools can be installed through **Apps.** From dbd4dfa688c237dd7c7abbc6527d9bbcb661388b Mon Sep 17 00:00:00 2001 From: Billy Tat Date: Tue, 29 Oct 2024 14:39:27 -0700 Subject: [PATCH 08/29] Apply 9c3755a7 and e12d7b2f (Remove OPA Gatekeeper docs) to en/zh 2.10 docs --- .../pod-security-standards.md | 2 +- .../manage-clusters/manage-clusters.md | 1 - .../integrations-in-rancher/opa-gatekeeper.md | 111 ----------------- .../reference-guides/rancher-cluster-tools.md | 5 +- .../pod-security-standards.md | 2 +- .../manage-clusters/manage-clusters.md | 1 - .../integrations-in-rancher/opa-gatekeeper.md | 117 ------------------ .../reference-guides/rancher-cluster-tools.md | 6 - versioned_sidebars/version-2.10-sidebars.json | 1 - 9 files changed, 3 insertions(+), 243 deletions(-) delete mode 100644 i18n/zh/docusaurus-plugin-content-docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md delete mode 100644 versioned_docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md index 7c16ac101924..75053324a0e1 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md @@ -9,7 +9,7 @@ PSS 定义了工作负载的安全级别。PSA 描述了 Pod 安全上下文和 ## 升级到 Pod 安全标准 (PSS) -确保将所有 PSP 都迁移到了另一个工作负载安全机制,包括将你当前的 PSP 映射到 Pod 安全标准,以便使用 [PSA 控制器](https://kubernetes.io/docs/concepts/security/pod-security-admission/)执行。如果 PSA 控制器不能满足企业的所有需求,建议你使用策略引擎,例如 [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper)、[Kubewarden](https://www.kubewarden.io/)、[Kyverno](https://kyverno.io/) 或 [NeuVector](https://neuvector.com/)。有关如何迁移 PSP 的更多信息,请参阅你选择的策略引擎的文档。 +确保将所有 PSP 都迁移到了另一个工作负载安全机制,包括将你当前的 PSP 映射到 Pod 安全标准,以便使用 [PSA 控制器](https://kubernetes.io/docs/concepts/security/pod-security-admission/)执行。如果 PSA 控制器不能满足企业的所有需求,建议你使用策略引擎,例如 [Kubewarden](https://www.kubewarden.io/)、[Kyverno](https://kyverno.io/) 或 [NeuVector](https://neuvector.com/)。有关如何迁移 PSP 的更多信息,请参阅你选择的策略引擎的文档。 :::caution 必须在删除 PodSecurityPolicy 对象_之前_添加新的策略执行机制。否则,你可能会为集群内的特权升级攻击创造机会。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md index a1c89025444f..c6de1117793a 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md @@ -31,6 +31,5 @@ Rancher 包含 Kubernetes 中未包含的各种工具来协助你进行 DevOps - Logging - Monitoring - Istio 服务网格 -- OPA Gatekeeper 你可以通过 **Apps** 来安装工具。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md deleted file mode 100644 index 41c91274c668..000000000000 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -title: OPA Gatekeeper ---- - -为了确保一致性和合规性,每个组织都需要能够以自动化的方式在环境中定义和执行策略。[OPA(Open Policy Agent)](https://www.openpolicyagent.org/) 是一个策略引擎,用于基于策略控制云原生环境。Rancher 支持在 Kubernetes 集群中启用 OPA Gatekeeper,并且还安装了一些内置的策略定义(也称为约束模板)。 - -OPA 提供了一种高级声明性语言,可以让你将策略指定为代码,还能扩展简单的 API,从而减轻策略决策的负担。 - -[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) 是一个提供 OPA 和 Kubernetes 集成的项目。OPA Gatekeeper 提供: - -- 一个可扩展的参数化策略库。 -- 用于实例化策略库的原生 Kubernetes CRD,也称为“约束”。 -- 用于扩展策略库的原生 Kubernetes CRD,也称为“约束模板”。 -- 审计功能。 - -要了解更多关于 OPA 的信息,请参阅[官方文档](https://www.openpolicyagent.org/docs/latest/)。 - -## OPA Gatekeeper 集成的工作原理 - -Kubernetes 支持通过准入控制器(准入控制器)webhook 来扩展 API Server 的功能,创建、更新或删除资源时都会调用这些 webhook。Gatekeeper 作为验证 webhook 安装,并执行由 Kubernetes CRD(Custom Resource Definition)定义的策略。除了使用准入控制之外,Gatekeeper 还能审计 Kubernetes 集群中的现有资源,并对违反当前策略的情况进行标记。 - -OPA Gatekeeper 由 Rancher 的 Helm system Chart 提供,它安装在名为 `gatekeeper-system` 的命名空间中。 - -## 在集群中启用 OPA Gatekeeper - -:::note - -Rancher 2.5 改进了 OPA Gatekeeper 应用。无法从 Rancher 2.4 升级到 Rancher 2.5 中的新版本。如果你在 Rancher 2.4 中安装了 OPA Gatekeeper,则需要在旧 UI 中卸载 OPA Gatekeeper 及其 CRD,然后在 Rancher 2.5 中重新安装它。如需卸载 CRD,请在 kubectl 控制台中运行 `kubectl delete crd configs.config.gatekeeper.sh constrainttemplates.templates.gatekeeper.sh` 命令。 - -::: - -:::note 先决条件: - -只有管理员和集群所有者才能启用 OPA Gatekeeper。 - -::: - -你可以在 **Apps** 页面安装 OPA Gatekeeper Helm Chart。 - -### 启用 OPA Gatekeeper - -1. 在左上角,单击 **☰ > 集群管理**。 -1. 在**集群**页面中,转到要启用 OPA Gatekeeper 的集群,然后单击 **Explore**。 -1. 在左侧导航栏中,点击 **Apps**。 -1. 点击 **Charts** 并点击 **OPA Gatekeeper**。 -1. 单击**安装**。 - -**结果**:已将 OPA Gatekeeper 部署到你的 Kubernetes 集群。 - -## 约束模板 - -[约束模板](https://github.com/open-policy-agent/gatekeeper#constraint-templates)是 Kubernetes 自定义资源,用于定义要由 Gatekeeper 应用的 OPA 策略的架构和 Rego 逻辑。有关 Rego 策略语言的更多信息,请参阅[官方文档](https://www.openpolicyagent.org/docs/latest/policy-language/)。 - -启用 OPA Gatekeeper 后,Rancher 默认会安装一些模板。 - -要列出集群中安装的约束模板,请转到 OPA Gatekeeper 下的左侧菜单,然后单击**模板**。 - -Rancher 还支持通过导入 YAML 定义来创建你自己的约束模板。 - -## 创建和配置约束 - -[约束](https://github.com/open-policy-agent/gatekeeper#constraints)是 Kubernetes 自定义资源,用于定义要应用约束模板的对象范围。约束模板和约束共同定义一个完整的策略。 - -:::note 先决条件: - -集群中已启用 OPA Gatekeeper。 - -::: - -要列出已安装的约束,请转到 OPA Gatekeeper 下的左侧菜单,然后单击**约束**。 - -可以从约束模板创建新的约束。 - -Rancher 支持通过使用方便的表单来创建约束,你可以在该表单中输入各种约束字段。 - -**以 YAML 文件编辑**选项也可以用于配置约束的 YAML 定义。 - -### 使 Rancher 的 System 命名空间不受约束 - -创建约束时,请确保该约束不应用于任何 Rancher 或 Kubernetes System 命名空间。如果不排除 System 命名空间,则可能会出现 system 命名空间下的许多资源被标记为违反约束。 - -要让约束仅限制用户命名空间,请在约束的**匹配**字段下指定这些命名空间。 - -此外,该约束可能会干扰其他 Rancher 功能并拒绝部署系统工作负载。为避免这种情况,请从你的约束中排除所有 Rancher 特定的命名空间。 - -## 在集群中实施约束 - -如果**执行动作**为 **Deny**,约束会立即启用,并拒绝任何违反策略的请求。默认情况下,执行的值为 **Deny**。 - -如果**执行动作** 为 **Dryrun**,违反策略的资源仅会记录在约束的状态字段中。 - -要强制执行约束,请使用表单创建约束。在**执行动作**字段中,选择 **Deny**。 - -## 集群中的审计和违规 - -OPA Gatekeeper 运行定期审计,以检查现有资源是否违反强制执行的约束。你可以在安装 Gatekeeper 时配置审计间隔(默认 300 秒)。 - -Gatekeeper 页面上列出了违反已定义的约束的情况。 - -此外,你也可以在**约束**页面中找到违反约束的数量。 - -每个约束的详细信息视图列出了违反约束的资源的信息。 - -## 禁用 Gatekeeper - -1. 导航到集群的仪表板视图。 -1. 在左侧菜单中,展开集群菜单并单击 **OPA Gatekeeper**。 -1. 单击 **⋮ > 禁用**。 - -**结果**:禁用 OPA Gatekeeper 后,所有约束模板和约束也将被删除。 - diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/rancher-cluster-tools.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/rancher-cluster-tools.md index e454be93e768..29a448f3a1f6 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/rancher-cluster-tools.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/rancher-cluster-tools.md @@ -4,7 +4,6 @@ title: 集群工具:Logging,Monitoring 和可视化 Rancher 包含 Kubernetes 中未包含的各种工具来协助你进行 DevOps 操作。Rancher 可以与外部服务集成,让你的集群更高效地运行。工具分为以下几类: - ## Logging Logging 支持: @@ -18,6 +17,7 @@ Logging 支持: Rancher 可以与 Elasticsearch、splunk、kafka、syslog 和 fluentd 集成。 有关详细信息,请参阅 [Logging 文档](../integrations-in-rancher/logging/logging.md)。 + ## 监控和告警 你可以使用 Rancher,通过业界领先并开源的 [Prometheus](https://prometheus.io/) 来监控集群节点、Kubernetes 组件和软件部署的状态和进程。 @@ -37,9 +37,6 @@ Rancher 可以与 Elasticsearch、splunk、kafka、syslog 和 fluentd 集成。 Rancher v2.5 改进了与 Istio 的集成。 如需更多信息,请参阅 [Istio 文档](..//integrations-in-rancher/istio/istio.md)。 -## OPA Gatekeeper - -[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) 是一个开源项目,它对 OPA 和 Kubernetes 进行了集成,以通过许可控制器 Webhook 提供策略控制。有关如何在 Rancher 中启用 Gatekeeper 的详细信息,请参阅 [OPA Gatekeeper](../integrations-in-rancher/opa-gatekeeper.md)。 ## CIS 扫描 diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md index 7b55b963fda3..5e8f2ee3b584 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md @@ -13,7 +13,7 @@ PSS define security levels for workloads. PSAs describe requirements for pod sec ## Upgrade to Pod Security Standards (PSS) -Ensure that you migrate all PSPs to another workload security mechanism. This includes mapping your current PSPs to Pod Security Standards for enforcement with the [PSA controller](https://kubernetes.io/docs/concepts/security/pod-security-admission/). If the PSA controller won't meet all of your organization's needs, we recommend that you use a policy engine, such as [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper), [Kubewarden](https://www.kubewarden.io/), [Kyverno](https://kyverno.io/), or [NeuVector](https://neuvector.com/). Refer to the documentation of your policy engine of choice for more information on how to migrate from PSPs. +Ensure that you migrate all PSPs to another workload security mechanism. This includes mapping your current PSPs to Pod Security Standards for enforcement with the [PSA controller](https://kubernetes.io/docs/concepts/security/pod-security-admission/). If the PSA controller won't meet all of your organization's needs, we recommend that you use a policy engine, such as [Kubewarden](https://www.kubewarden.io/), [Kyverno](https://kyverno.io/), or [NeuVector](https://neuvector.com/). Refer to the documentation of your policy engine of choice for more information on how to migrate from PSPs. :::caution You must add your new policy enforcement mechanisms _before_ you remove the PodSecurityPolicy objects. If you don't, you may create an opportunity for privilege escalation attacks within the cluster. diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md index eafa50faff9d..a694c2f77c2c 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md @@ -31,6 +31,5 @@ Rancher contains a variety of tools that aren't included in Kubernetes to assist - Logging - Monitoring - Istio Service Mesh -- OPA Gatekeeper Tools can be installed through **Apps.** diff --git a/versioned_docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md b/versioned_docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md deleted file mode 100644 index cea9732b36cd..000000000000 --- a/versioned_docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md +++ /dev/null @@ -1,117 +0,0 @@ ---- -title: OPA Gatekeeper ---- - - - - - - - -To ensure consistency and compliance, every organization needs the ability to define and enforce policies in its environment in an automated way. [OPA (Open Policy Agent)](https://www.openpolicyagent.org/) is a policy engine that facilitates policy-based control for cloud native environments. Rancher provides the ability to enable OPA Gatekeeper in Kubernetes clusters, and also installs a couple of built-in policy definitions, which are also called constraint templates. - -OPA provides a high-level declarative language that lets you specify policy as code and ability to extend simple APIs to offload policy decision-making. - -[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is a project that provides integration between OPA and Kubernetes. OPA Gatekeeper provides: - -- An extensible, parameterized policy library. -- Native Kubernetes CRDs for instantiating the policy library, also called “constraints." -- Native Kubernetes CRDs for extending the policy library, also called "constraint templates." -- Audit functionality. - -To read more about OPA, please refer to the [official documentation.](https://www.openpolicyagent.org/docs/latest/) - -## How the OPA Gatekeeper Integration Works - -Kubernetes provides the ability to extend API server functionality via admission controller webhooks, which are invoked whenever a resource is created, updated or deleted. Gatekeeper is installed as a validating webhook and enforces policies defined by Kubernetes custom resource definitions. In addition to the admission control usage, Gatekeeper provides the capability to audit existing resources in Kubernetes clusters and mark current violations of enabled policies. - -OPA Gatekeeper is made available via Rancher's Helm system chart, and it is installed in a namespace named `gatekeeper-system.` - -## Enabling OPA Gatekeeper in a Cluster - -:::note - -In Rancher v2.5, the OPA Gatekeeper application was improved. The Rancher v2.4 feature can't be upgraded to the new version in Rancher v2.5. If you installed OPA Gatekeeper in Rancher v2.4, you will need to uninstall OPA Gatekeeper and its CRDs from the old UI, then reinstall it in Rancher v2.5. To uninstall the CRDs run the following command in the kubectl console `kubectl delete crd configs.config.gatekeeper.sh constrainttemplates.templates.gatekeeper.sh`. - -::: - -:::note Prerequisite: - -Only administrators and cluster owners can enable OPA Gatekeeper. - -::: - -The OPA Gatekeeper Helm chart can be installed from **Apps**. - -### Enabling OPA Gatekeeper - -1. In the upper left corner, click **☰ > Cluster Management**. -1. In the **Clusters** page, go to the cluster where you want to enable OPA Gatekeeper and click **Explore**. -1. In the left navigation bar, click **Apps**. -1. Click **Charts** and click **OPA Gatekeeper**. -1. Click **Install**. - -**Result:** OPA Gatekeeper is deployed in your Kubernetes cluster. - -## Constraint Templates - -[Constraint templates](https://github.com/open-policy-agent/gatekeeper#constraint-templates) are Kubernetes custom resources that define the schema and Rego logic of the OPA policy to be applied by Gatekeeper. For more information on the Rego policy language, refer to the [official documentation.](https://www.openpolicyagent.org/docs/latest/policy-language/) - -When OPA Gatekeeper is enabled, Rancher installs some templates by default. - -To list the constraint templates installed in the cluster, go to the left side menu under OPA Gatekeeper and click on **Templates**. - -Rancher also provides the ability to create your own constraint templates by importing YAML definitions. - -## Creating and Configuring Constraints - -[Constraints](https://github.com/open-policy-agent/gatekeeper#constraints) are Kubernetes custom resources that define the scope of objects to which a specific constraint template applies to. The complete policy is defined by constraint templates and constraints together. - -:::note Prerequisite: - -OPA Gatekeeper must be enabled in the cluster. - -::: - -To list the constraints installed, go to the left side menu under OPA Gatekeeper, and click on **Constraints**. - -New constraints can be created from a constraint template. - -Rancher provides the ability to create a constraint by using a convenient form that lets you input the various constraint fields. - -The **Edit as yaml** option is also available to configure the the constraint's yaml definition. - -### Exempting Rancher's System Namespaces from Constraints - -When a constraint is created, ensure that it does not apply to any Rancher or Kubernetes system namespaces. If the system namespaces are not excluded, then it is possible to see many resources under them marked as violations of the constraint. - -To limit the scope of the constraint only to user namespaces, always specify these namespaces under the **Match** field of the constraint. - -Also, the constraint may interfere with other Rancher functionality and deny system workloads from being deployed. To avoid this, exclude all Rancher-specific namespaces from your constraints. - -## Enforcing Constraints in your Cluster - -When the **Enforcement Action** is **Deny,** the constraint is immediately enabled and will deny any requests that violate the policy defined. By default, the enforcement value is **Deny**. - -When the **Enforcement Action** is **Dryrun,** then any resources that violate the policy are only recorded under the constraint's status field. - -To enforce constraints, create a constraint using the form. In the **Enforcement Action** field, choose **Deny**. - -## Audit and Violations in your Cluster - -OPA Gatekeeper runs a periodic audit to check if any existing resource violates any enforced constraint. The audit-interval (default 300s) can be configured while installing Gatekeeper. - -On the Gatekeeper page, any violations of the defined constraints are listed. - -Also under **Constraints,** the number of violations of the constraint can be found. - -The detail view of each constraint lists information about the resource that violated the constraint. - -## Disabling Gatekeeper - -1. Navigate to the cluster's Dashboard view -1. On the left side menu, expand the cluster menu and click on **OPA Gatekeeper**. -1. Click the **⋮ > Disable**. - -**Result:** Upon disabling OPA Gatekeeper, all constraint templates and constraints will also be deleted. - diff --git a/versioned_docs/version-2.10/reference-guides/rancher-cluster-tools.md b/versioned_docs/version-2.10/reference-guides/rancher-cluster-tools.md index 4607ae590353..ad46fbdd9d25 100644 --- a/versioned_docs/version-2.10/reference-guides/rancher-cluster-tools.md +++ b/versioned_docs/version-2.10/reference-guides/rancher-cluster-tools.md @@ -42,12 +42,6 @@ Rancher's integration with Istio was improved in Rancher v2.5. For more information, refer to the Istio documentation [here.](../integrations-in-rancher/istio/istio.md) -## OPA Gatekeeper - - - -[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is an open-source project that provides integration between OPA and Kubernetes to provide policy control via admission controller webhooks. For details on how to enable Gatekeeper in Rancher, refer to the [OPA Gatekeeper section.](../integrations-in-rancher/opa-gatekeeper.md) - ## CIS Scans Rancher can run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark. diff --git a/versioned_sidebars/version-2.10-sidebars.json b/versioned_sidebars/version-2.10-sidebars.json index 072459e52284..7af1666eee9d 100644 --- a/versioned_sidebars/version-2.10-sidebars.json +++ b/versioned_sidebars/version-2.10-sidebars.json @@ -1253,7 +1253,6 @@ "integrations-in-rancher/monitoring-and-alerting/promql-expressions" ] }, - "integrations-in-rancher/opa-gatekeeper", "integrations-in-rancher/rancher-extensions" ] }, From 770c5bfed25378a427c79dbea4cb3a9b338b8f6a Mon Sep 17 00:00:00 2001 From: Billy Tat Date: Tue, 29 Oct 2024 15:27:35 -0700 Subject: [PATCH 09/29] Remove redirect to OPA Gatekeeper page --- docusaurus.config.js | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docusaurus.config.js b/docusaurus.config.js index 08b580edf086..708f4eef94ff 100644 --- a/docusaurus.config.js +++ b/docusaurus.config.js @@ -2544,10 +2544,6 @@ module.exports = { to: '/integrations-in-rancher/neuvector', from: '/explanations/integrations-in-rancher/neuvector' }, - { - to: '/integrations-in-rancher/opa-gatekeeper', - from: '/explanations/integrations-in-rancher/opa-gatekeeper' - }, { to: '/v2.6/faq/general-faq', from: '/v2.6/faq' From e9ccd164b1abaf094f7279d51f79a08671f84d2e Mon Sep 17 00:00:00 2001 From: Sunil Singh Date: Mon, 4 Nov 2024 15:37:05 -0800 Subject: [PATCH 10/29] Adding in configuration steps to SAML pages on setting up SAML SLO. Signed-off-by: Sunil Singh --- .../configure-keycloak-saml.md | 13 +++++++++++++ .../configure-okta-saml.md | 12 +++++++----- .../configure-pingidentity.md | 13 +++++++++++++ .../configure-keycloak-saml.md | 15 +++++++++++++++ .../configure-okta-saml.md | 17 ++++++++++++++++- .../configure-pingidentity.md | 15 +++++++++++++++ 6 files changed, 79 insertions(+), 6 deletions(-) diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md index 0aebd63ad670..1ee8f543015a 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md @@ -194,3 +194,16 @@ Try configuring and saving keycloak as your SAML provider and then accessing the * If the log displays `request validation failed: org.keycloak.common.VerificationException: SigAlg was null`, set `Client Signature Required` to `OFF` in your Keycloak client. ## Configuring SAML Single Logout (SLO) + +Rancher supports the ability to configure SAML SLO. Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. The steps below outline configuration from the application GUI: + +1. Sign in to Rancher using a [standard user or an administrator role](../manage-role-based-access-control-rbac/global-permissions.md) to configure SAML SLO. +1. In the top left corner, click **☰ > Users & Authentication**. +1. In the left navigation menu, click **Auth Provider**. +1. Under the section **Log Out behavior**, choose the appropriate SLO setting as described below: + + | Setting | Description | + | ------------------------- | ----------------------------------------------------------------------------- | + | Log out of Rancher and not authentication provider | Choosing this option will only logout the Rancher application and not external authentication providers. | + | Log out of Rancher and authentication provider (includes all other applications registered with authentication provider) | Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider. | + | Allow the user to choose one of the above in an additional log out step | Choosing this option presents users with a choice of logout method as described above. | diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md index 2d22a751d2b0..6755ce3ebb6b 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md @@ -111,13 +111,15 @@ If you experience issues when you test the connection to the OpenLDAP server, en ## Configuring SAML Single Logout (SLO) -1. Sign into Rancher using a local user assigned the [administrator](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/manage-role-based-access-control-rbac/global-permissions) role (i.e., the _local principal_). +Rancher supports the ability to configure SAML SLO. Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. The steps below outline configuration from the application GUI: + +1. Sign in to Rancher using a [standard user or an administrator role](../manage-role-based-access-control-rbac/global-permissions.md) to configure SAML SLO. 1. In the top left corner, click **☰ > Users & Authentication**. 1. In the left navigation menu, click **Auth Provider**. -1. Under the section **Configure Single Logout (SLO)**, choose the appropriate SLO setting as described below: +1. Under the section **Log Out behavior**, choose the appropriate SLO setting as described below: | Setting | Description | | ------------------------- | ----------------------------------------------------------------------------- | - | Only log out of Rancher | Choosing this option will only logout the Rancher application and not external authentication providers. | - | Log out of Okta (including Rancher and all other application registered with the provider) | Choosing this option will logout Rancher and external authentication providers along with any registered application linked to the provider. | - | Allow the user to choose in an extra step | Choosing this option presents users with a choice of logout method as described above. | + | Log out of Rancher and not authentication provider | Choosing this option will only logout the Rancher application and not external authentication providers. | + | Log out of Rancher and authentication provider (includes all other applications registered with authentication provider) | Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider. | + | Allow the user to choose one of the above in an additional log out step | Choosing this option presents users with a choice of logout method as described above. | diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md index db418a7f9d7d..c3561aefae79 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md @@ -66,3 +66,16 @@ Note that these URLs will not return valid data until the authentication configu ::: ## Configuring SAML Single Logout (SLO) + +Rancher supports the ability to configure SAML SLO. Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. The steps below outline configuration from the application GUI: + +1. Sign in to Rancher using a [standard user or an administrator role](../manage-role-based-access-control-rbac/global-permissions.md) to configure SAML SLO. +1. In the top left corner, click **☰ > Users & Authentication**. +1. In the left navigation menu, click **Auth Provider**. +1. Under the section **Log Out behavior**, choose the appropriate SLO setting as described below: + + | Setting | Description | + | ------------------------- | ----------------------------------------------------------------------------- | + | Log out of Rancher and not authentication provider | Choosing this option will only logout the Rancher application and not external authentication providers. | + | Log out of Rancher and authentication provider (includes all other applications registered with authentication provider) | Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider. | + | Allow the user to choose one of the above in an additional log out step | Choosing this option presents users with a choice of logout method as described above. | diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md index 4e3d9c2713c4..1ee8f543015a 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md @@ -192,3 +192,18 @@ Try configuring and saving keycloak as your SAML provider and then accessing the * Check your Keycloak log. * If the log displays `request validation failed: org.keycloak.common.VerificationException: SigAlg was null`, set `Client Signature Required` to `OFF` in your Keycloak client. + +## Configuring SAML Single Logout (SLO) + +Rancher supports the ability to configure SAML SLO. Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. The steps below outline configuration from the application GUI: + +1. Sign in to Rancher using a [standard user or an administrator role](../manage-role-based-access-control-rbac/global-permissions.md) to configure SAML SLO. +1. In the top left corner, click **☰ > Users & Authentication**. +1. In the left navigation menu, click **Auth Provider**. +1. Under the section **Log Out behavior**, choose the appropriate SLO setting as described below: + + | Setting | Description | + | ------------------------- | ----------------------------------------------------------------------------- | + | Log out of Rancher and not authentication provider | Choosing this option will only logout the Rancher application and not external authentication providers. | + | Log out of Rancher and authentication provider (includes all other applications registered with authentication provider) | Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider. | + | Allow the user to choose one of the above in an additional log out step | Choosing this option presents users with a choice of logout method as described above. | diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md index 1f601689bc11..6755ce3ebb6b 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md @@ -107,4 +107,19 @@ The OpenLDAP service account is used for all searches. Rancher users will see us 1. Click **Okta** or, if SAML is already configured, **Edit Config** 1. Under **User and Group Search**, check **Configure an OpenLDAP server** -If you experience issues when you test the connection to the OpenLDAP server, ensure that you entered the credentials for the service account and configured the search base correctly. Inspecting the Rancher logs can help pinpoint the root cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) for more information. \ No newline at end of file +If you experience issues when you test the connection to the OpenLDAP server, ensure that you entered the credentials for the service account and configured the search base correctly. Inspecting the Rancher logs can help pinpoint the root cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) for more information. + +## Configuring SAML Single Logout (SLO) + +Rancher supports the ability to configure SAML SLO. Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. The steps below outline configuration from the application GUI: + +1. Sign in to Rancher using a [standard user or an administrator role](../manage-role-based-access-control-rbac/global-permissions.md) to configure SAML SLO. +1. In the top left corner, click **☰ > Users & Authentication**. +1. In the left navigation menu, click **Auth Provider**. +1. Under the section **Log Out behavior**, choose the appropriate SLO setting as described below: + + | Setting | Description | + | ------------------------- | ----------------------------------------------------------------------------- | + | Log out of Rancher and not authentication provider | Choosing this option will only logout the Rancher application and not external authentication providers. | + | Log out of Rancher and authentication provider (includes all other applications registered with authentication provider) | Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider. | + | Allow the user to choose one of the above in an additional log out step | Choosing this option presents users with a choice of logout method as described above. | diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md index e45d179881e5..c3561aefae79 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md @@ -64,3 +64,18 @@ Note that these URLs will not return valid data until the authentication configu - The group drop-down shows only the groups that you are a member of. You will not be able to add groups that you are not a member of. ::: + +## Configuring SAML Single Logout (SLO) + +Rancher supports the ability to configure SAML SLO. Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. The steps below outline configuration from the application GUI: + +1. Sign in to Rancher using a [standard user or an administrator role](../manage-role-based-access-control-rbac/global-permissions.md) to configure SAML SLO. +1. In the top left corner, click **☰ > Users & Authentication**. +1. In the left navigation menu, click **Auth Provider**. +1. Under the section **Log Out behavior**, choose the appropriate SLO setting as described below: + + | Setting | Description | + | ------------------------- | ----------------------------------------------------------------------------- | + | Log out of Rancher and not authentication provider | Choosing this option will only logout the Rancher application and not external authentication providers. | + | Log out of Rancher and authentication provider (includes all other applications registered with authentication provider) | Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider. | + | Allow the user to choose one of the above in an additional log out step | Choosing this option presents users with a choice of logout method as described above. | From b7725314c20e6a50d61fa501c5265f1982eaef52 Mon Sep 17 00:00:00 2001 From: Billy Tat Date: Mon, 4 Nov 2024 16:05:51 -0800 Subject: [PATCH 11/29] Add managed-system-upgrade-controller feature flag --- .../installation-references/feature-flags.md | 6 ++++-- .../installation-references/feature-flags.md | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/getting-started/installation-and-upgrade/installation-references/feature-flags.md b/docs/getting-started/installation-and-upgrade/installation-references/feature-flags.md index 8a5d5cff106b..37580b2e19a9 100644 --- a/docs/getting-started/installation-and-upgrade/installation-references/feature-flags.md +++ b/docs/getting-started/installation-and-upgrade/installation-references/feature-flags.md @@ -23,6 +23,7 @@ The following is a list of feature flags available in Rancher. If you've upgrade - `harvester`: Manages access to the Virtualization Management page, where users can navigate directly to Harvester clusters and access the Harvester UI. See [Harvester Integration Overview](../../../integrations-in-rancher/harvester/overview.md) for more information. - `istio-virtual-service-ui`: Enables a [visual interface](../../../how-to-guides/advanced-user-guides/enable-experimental-features/istio-traffic-management-features.md) to create, read, update, and delete Istio virtual services and destination rules, which are Istio traffic management features. - `legacy`: Enables a set of features from 2.5.x and earlier, that are slowly being phased out in favor of newer implementations. These are a mix of deprecated features as well as features that will eventually be available to newer versions. This flag is disabled by default on new Rancher installations. If you're upgrading from a previous version of Rancher, this flag is enabled. +- `managed-system-upgrade-controller`: Enables the installation of the system-upgrade-controller app in downstream RKE2/K3s clusters, currently limited to imported clusters and the local cluster, with plans to expand support to node-driver clusters. - `multi-cluster-management`: Allows multi-cluster provisioning and management of Kubernetes clusters. This flag can only be set at install time. It can't be enabled or disabled later. - `rke1-custom-node-cleanup`: Enables cleanup of deleted RKE1 custom nodes. We recommend that you keep this flag enabled, to prevent removed nodes from attempting to rejoin the cluster. - `rke2`: Enables provisioning RKE2 clusters. This flag is enabled by default. @@ -42,8 +43,9 @@ The following table shows the availability and default values for some feature f | `fleet` | `true` | GA | v2.5.0 | | | `harvester` | `true` | Experimental | v2.6.1 | | | `legacy` | `false` for new installs, `true` for upgrades | GA | v2.6.0 | | +| `managed-system-upgrade-controller` | `true` | GA | v2.10.0 | | | `rke1-custom-node-cleanup`| `true` | GA | v2.6.0 | | | `rke2` | `true` | Experimental | v2.6.0 | | | `token-hashing` | `false` for new installs, `true` for upgrades | GA | v2.6.0 | | -| `uiextension` | `true` | GA | v2.9.0 | -| `ui-sql-cache` | `false` | Highly experimental | v2.9.0 | \ No newline at end of file +| `uiextension` | `true` | GA | v2.9.0 | | +| `ui-sql-cache` | `false` | Highly experimental | v2.9.0 | | diff --git a/versioned_docs/version-2.10/getting-started/installation-and-upgrade/installation-references/feature-flags.md b/versioned_docs/version-2.10/getting-started/installation-and-upgrade/installation-references/feature-flags.md index 8a5d5cff106b..37580b2e19a9 100644 --- a/versioned_docs/version-2.10/getting-started/installation-and-upgrade/installation-references/feature-flags.md +++ b/versioned_docs/version-2.10/getting-started/installation-and-upgrade/installation-references/feature-flags.md @@ -23,6 +23,7 @@ The following is a list of feature flags available in Rancher. If you've upgrade - `harvester`: Manages access to the Virtualization Management page, where users can navigate directly to Harvester clusters and access the Harvester UI. See [Harvester Integration Overview](../../../integrations-in-rancher/harvester/overview.md) for more information. - `istio-virtual-service-ui`: Enables a [visual interface](../../../how-to-guides/advanced-user-guides/enable-experimental-features/istio-traffic-management-features.md) to create, read, update, and delete Istio virtual services and destination rules, which are Istio traffic management features. - `legacy`: Enables a set of features from 2.5.x and earlier, that are slowly being phased out in favor of newer implementations. These are a mix of deprecated features as well as features that will eventually be available to newer versions. This flag is disabled by default on new Rancher installations. If you're upgrading from a previous version of Rancher, this flag is enabled. +- `managed-system-upgrade-controller`: Enables the installation of the system-upgrade-controller app in downstream RKE2/K3s clusters, currently limited to imported clusters and the local cluster, with plans to expand support to node-driver clusters. - `multi-cluster-management`: Allows multi-cluster provisioning and management of Kubernetes clusters. This flag can only be set at install time. It can't be enabled or disabled later. - `rke1-custom-node-cleanup`: Enables cleanup of deleted RKE1 custom nodes. We recommend that you keep this flag enabled, to prevent removed nodes from attempting to rejoin the cluster. - `rke2`: Enables provisioning RKE2 clusters. This flag is enabled by default. @@ -42,8 +43,9 @@ The following table shows the availability and default values for some feature f | `fleet` | `true` | GA | v2.5.0 | | | `harvester` | `true` | Experimental | v2.6.1 | | | `legacy` | `false` for new installs, `true` for upgrades | GA | v2.6.0 | | +| `managed-system-upgrade-controller` | `true` | GA | v2.10.0 | | | `rke1-custom-node-cleanup`| `true` | GA | v2.6.0 | | | `rke2` | `true` | Experimental | v2.6.0 | | | `token-hashing` | `false` for new installs, `true` for upgrades | GA | v2.6.0 | | -| `uiextension` | `true` | GA | v2.9.0 | -| `ui-sql-cache` | `false` | Highly experimental | v2.9.0 | \ No newline at end of file +| `uiextension` | `true` | GA | v2.9.0 | | +| `ui-sql-cache` | `false` | Highly experimental | v2.9.0 | | From 40dbb58d5a6c45c7544cd2f42b0097211067659d Mon Sep 17 00:00:00 2001 From: Sunil Singh Date: Tue, 5 Nov 2024 13:47:08 -0800 Subject: [PATCH 12/29] Adding shared folder file and adding content to MS ADFS SAML/Shibboleth SAML pages. Signed-off-by: Sunil Singh --- .../configure-keycloak-saml.md | 13 +------------ .../authentication-config/configure-okta-saml.md | 13 +------------ .../authentication-config/configure-pingidentity.md | 13 +------------ .../configure-rancher-for-ms-adfs.md | 4 ++++ .../configure-shibboleth-saml.md | 4 ++++ shared-files/_configure-slo.md | 12 ++++++++++++ src/theme/MDXComponents.js | 2 ++ .../configure-keycloak-saml.md | 13 +------------ .../authentication-config/configure-okta-saml.md | 13 +------------ .../authentication-config/configure-pingidentity.md | 13 +------------ .../configure-rancher-for-ms-adfs.md | 4 ++++ .../configure-shibboleth-saml.md | 4 ++++ 12 files changed, 36 insertions(+), 72 deletions(-) create mode 100644 shared-files/_configure-slo.md diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md index 1ee8f543015a..43a38e8d5b7f 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md @@ -195,15 +195,4 @@ Try configuring and saving keycloak as your SAML provider and then accessing the ## Configuring SAML Single Logout (SLO) -Rancher supports the ability to configure SAML SLO. Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. The steps below outline configuration from the application GUI: - -1. Sign in to Rancher using a [standard user or an administrator role](../manage-role-based-access-control-rbac/global-permissions.md) to configure SAML SLO. -1. In the top left corner, click **☰ > Users & Authentication**. -1. In the left navigation menu, click **Auth Provider**. -1. Under the section **Log Out behavior**, choose the appropriate SLO setting as described below: - - | Setting | Description | - | ------------------------- | ----------------------------------------------------------------------------- | - | Log out of Rancher and not authentication provider | Choosing this option will only logout the Rancher application and not external authentication providers. | - | Log out of Rancher and authentication provider (includes all other applications registered with authentication provider) | Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider. | - | Allow the user to choose one of the above in an additional log out step | Choosing this option presents users with a choice of logout method as described above. | + diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md index 6755ce3ebb6b..0496237f3858 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md @@ -111,15 +111,4 @@ If you experience issues when you test the connection to the OpenLDAP server, en ## Configuring SAML Single Logout (SLO) -Rancher supports the ability to configure SAML SLO. Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. The steps below outline configuration from the application GUI: - -1. Sign in to Rancher using a [standard user or an administrator role](../manage-role-based-access-control-rbac/global-permissions.md) to configure SAML SLO. -1. In the top left corner, click **☰ > Users & Authentication**. -1. In the left navigation menu, click **Auth Provider**. -1. Under the section **Log Out behavior**, choose the appropriate SLO setting as described below: - - | Setting | Description | - | ------------------------- | ----------------------------------------------------------------------------- | - | Log out of Rancher and not authentication provider | Choosing this option will only logout the Rancher application and not external authentication providers. | - | Log out of Rancher and authentication provider (includes all other applications registered with authentication provider) | Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider. | - | Allow the user to choose one of the above in an additional log out step | Choosing this option presents users with a choice of logout method as described above. | + diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md index c3561aefae79..6a40e9343f28 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md @@ -67,15 +67,4 @@ Note that these URLs will not return valid data until the authentication configu ## Configuring SAML Single Logout (SLO) -Rancher supports the ability to configure SAML SLO. Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. The steps below outline configuration from the application GUI: - -1. Sign in to Rancher using a [standard user or an administrator role](../manage-role-based-access-control-rbac/global-permissions.md) to configure SAML SLO. -1. In the top left corner, click **☰ > Users & Authentication**. -1. In the left navigation menu, click **Auth Provider**. -1. Under the section **Log Out behavior**, choose the appropriate SLO setting as described below: - - | Setting | Description | - | ------------------------- | ----------------------------------------------------------------------------- | - | Log out of Rancher and not authentication provider | Choosing this option will only logout the Rancher application and not external authentication providers. | - | Log out of Rancher and authentication provider (includes all other applications registered with authentication provider) | Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider. | - | Allow the user to choose one of the above in an additional log out step | Choosing this option presents users with a choice of logout method as described above. | + diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md index 492737803f5b..b2785bd83f0f 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md @@ -51,3 +51,7 @@ You can generate a certificate using an openssl command. For example: ``` openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com" ``` + +## Configuring SAML Single Logout (SLO) + + diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md index a57f4882050a..1480b024af9d 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md @@ -77,6 +77,10 @@ If you configure Shibboleth without OpenLDAP, the following caveats apply due to To enable searching for groups when assigning permissions in Rancher, you will need to configure a back end for the SAML provider that supports groups, such as OpenLDAP. +### Configuring SAML Single Logout (SLO) + + + ## Setting up OpenLDAP in Rancher If you also configure OpenLDAP as the back end to Shibboleth, it will return a SAML assertion to Rancher with user attributes that include groups. Then authenticated users will be able to access resources in Rancher that their groups have permissions for. diff --git a/shared-files/_configure-slo.md b/shared-files/_configure-slo.md new file mode 100644 index 000000000000..769bfe4d5436 --- /dev/null +++ b/shared-files/_configure-slo.md @@ -0,0 +1,12 @@ +Rancher supports the ability to configure SAML SLO. Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. The steps below outline configuration from the application GUI: + +1. Sign in to Rancher using a standard user or an administrator role to configure SAML SLO. +1. In the top left corner, click **☰ > Users & Authentication**. +1. In the left navigation menu, click **Auth Provider**. +1. Under the section **Log Out behavior**, choose the appropriate SLO setting as described below: + + | Setting | Description | + | ------------------------- | ----------------------------------------------------------------------------- | + | Log out of Rancher and not authentication provider | Choosing this option will only logout the Rancher application and not external authentication providers. | + | Log out of Rancher and authentication provider (includes all other applications registered with authentication provider) | Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider. | + | Allow the user to choose one of the above in an additional log out step | Choosing this option presents users with a choice of logout method as described above. | diff --git a/src/theme/MDXComponents.js b/src/theme/MDXComponents.js index b5ef8bfde0f5..96351a571700 100644 --- a/src/theme/MDXComponents.js +++ b/src/theme/MDXComponents.js @@ -11,6 +11,7 @@ import DeprecationOPAGatekeeper from '/shared-files/_deprecation-opa-gatekeeper. import DeprecationWeave from '/shared-files/_deprecation-weave.md'; import DeprecationHelm2 from '/shared-files/_deprecation-helm2.md'; import DockerSupportWarning from '/shared-files/_docker-support-warning.md'; +import ConfigureSLO from '/shared-files/_configure-slo.md'; export default { // Re-use the default mapping @@ -23,6 +24,7 @@ export default { Card, CNIPopularityTable, + ConfigureSLO, DeprecationOPAGatekeeper, DeprecationWeave, DeprecationHelm2, diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md index 1ee8f543015a..43a38e8d5b7f 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md @@ -195,15 +195,4 @@ Try configuring and saving keycloak as your SAML provider and then accessing the ## Configuring SAML Single Logout (SLO) -Rancher supports the ability to configure SAML SLO. Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. The steps below outline configuration from the application GUI: - -1. Sign in to Rancher using a [standard user or an administrator role](../manage-role-based-access-control-rbac/global-permissions.md) to configure SAML SLO. -1. In the top left corner, click **☰ > Users & Authentication**. -1. In the left navigation menu, click **Auth Provider**. -1. Under the section **Log Out behavior**, choose the appropriate SLO setting as described below: - - | Setting | Description | - | ------------------------- | ----------------------------------------------------------------------------- | - | Log out of Rancher and not authentication provider | Choosing this option will only logout the Rancher application and not external authentication providers. | - | Log out of Rancher and authentication provider (includes all other applications registered with authentication provider) | Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider. | - | Allow the user to choose one of the above in an additional log out step | Choosing this option presents users with a choice of logout method as described above. | + diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md index 6755ce3ebb6b..0496237f3858 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md @@ -111,15 +111,4 @@ If you experience issues when you test the connection to the OpenLDAP server, en ## Configuring SAML Single Logout (SLO) -Rancher supports the ability to configure SAML SLO. Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. The steps below outline configuration from the application GUI: - -1. Sign in to Rancher using a [standard user or an administrator role](../manage-role-based-access-control-rbac/global-permissions.md) to configure SAML SLO. -1. In the top left corner, click **☰ > Users & Authentication**. -1. In the left navigation menu, click **Auth Provider**. -1. Under the section **Log Out behavior**, choose the appropriate SLO setting as described below: - - | Setting | Description | - | ------------------------- | ----------------------------------------------------------------------------- | - | Log out of Rancher and not authentication provider | Choosing this option will only logout the Rancher application and not external authentication providers. | - | Log out of Rancher and authentication provider (includes all other applications registered with authentication provider) | Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider. | - | Allow the user to choose one of the above in an additional log out step | Choosing this option presents users with a choice of logout method as described above. | + diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md index c3561aefae79..6a40e9343f28 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md @@ -67,15 +67,4 @@ Note that these URLs will not return valid data until the authentication configu ## Configuring SAML Single Logout (SLO) -Rancher supports the ability to configure SAML SLO. Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. The steps below outline configuration from the application GUI: - -1. Sign in to Rancher using a [standard user or an administrator role](../manage-role-based-access-control-rbac/global-permissions.md) to configure SAML SLO. -1. In the top left corner, click **☰ > Users & Authentication**. -1. In the left navigation menu, click **Auth Provider**. -1. Under the section **Log Out behavior**, choose the appropriate SLO setting as described below: - - | Setting | Description | - | ------------------------- | ----------------------------------------------------------------------------- | - | Log out of Rancher and not authentication provider | Choosing this option will only logout the Rancher application and not external authentication providers. | - | Log out of Rancher and authentication provider (includes all other applications registered with authentication provider) | Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider. | - | Allow the user to choose one of the above in an additional log out step | Choosing this option presents users with a choice of logout method as described above. | + diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md index 492737803f5b..b2785bd83f0f 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md @@ -51,3 +51,7 @@ You can generate a certificate using an openssl command. For example: ``` openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com" ``` + +## Configuring SAML Single Logout (SLO) + + diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md index a57f4882050a..1480b024af9d 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md @@ -77,6 +77,10 @@ If you configure Shibboleth without OpenLDAP, the following caveats apply due to To enable searching for groups when assigning permissions in Rancher, you will need to configure a back end for the SAML provider that supports groups, such as OpenLDAP. +### Configuring SAML Single Logout (SLO) + + + ## Setting up OpenLDAP in Rancher If you also configure OpenLDAP as the back end to Shibboleth, it will return a SAML assertion to Rancher with user attributes that include groups. Then authenticated users will be able to access resources in Rancher that their groups have permissions for. From 6a47218c15ef66049cf0f7454e51bf32fa5b2da7 Mon Sep 17 00:00:00 2001 From: Sunil Singh Date: Tue, 5 Nov 2024 14:33:25 -0800 Subject: [PATCH 13/29] Porting changes to i18n docs Signed-off-by: Sunil Singh --- .../authentication-config/configure-keycloak-saml.md | 4 ++++ .../authentication-config/configure-okta-saml.md | 4 ++++ .../authentication-config/configure-pingidentity.md | 4 ++++ .../configure-rancher-for-ms-adfs.md | 4 ++++ .../configure-shibboleth-saml/configure-shibboleth-saml.md | 4 ++++ .../authentication-config/configure-keycloak-saml.md | 4 ++++ .../authentication-config/configure-okta-saml.md | 4 ++++ .../authentication-config/configure-pingidentity.md | 4 ++++ .../configure-rancher-for-ms-adfs.md | 4 ++++ .../configure-shibboleth-saml/configure-shibboleth-saml.md | 4 ++++ 10 files changed, 40 insertions(+) diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md index 145e327f3af0..9fbe04001f18 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md @@ -188,3 +188,7 @@ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.ke * 检查你的 Keycloak 日志。 * 如果日志显示 `request validation failed: org.keycloak.common.VerificationException: SigAlg was null`,请在 Keycloak 客户端中将 `Client Signature Required` 设为 `OFF`。 + +## Configuring SAML Single Logout (SLO) + + diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md index 4b9daebde825..0e9201e1f998 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md @@ -105,3 +105,7 @@ OpenLDAP ServiceAccount 用于所有搜索。无论用户个人的 SAML 权限 1. 在**用户和组搜索**下,选中**配置 OpenLDAP Server**。 如果你在测试与 OpenLDAP Server 的连接时遇到问题,请确保你输入了ServiceAccount 的凭证并正确配置了搜索库。你可以检查 Rancher 日志来查明根本原因。调试日志可能包含有关错误的更详细信息。请参阅[如何启用调试日志](../../../../faq/technical-items.md#如何启用调试日志记录)了解更多信息。 + +## Configuring SAML Single Logout (SLO) + + diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md index 0eebb8363c90..bfe1b8628621 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md @@ -60,3 +60,7 @@ title: 配置 PingIdentity (SAML) - 用户组下拉列表仅显示你所属的用户组。如果你不是某个组的成员,你将无法添加该组。 ::: + +## Configuring SAML Single Logout (SLO) + + diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md index 325f86ca45b9..b29f42313d84 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md @@ -51,3 +51,7 @@ title: 2. 在 Rancher 中配置 Microsoft AD FS ``` openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com" ``` + +## Configuring SAML Single Logout (SLO) + + diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md index fe0c5cde49bc..9056b1d91434 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md @@ -76,6 +76,10 @@ SAML 协议不支持用户或用户组的搜索或查找。因此,如果你没 要在 Rancher 中分配权限时启用搜索组,你需要为 SAML 身份认证服务配置支持组的后端(例如 OpenLDAP)。 +### Configuring SAML Single Logout (SLO) + + + # 在 Rancher 中设置 OpenLDAP 如果你将 OpenLDAP 配置为 Shibboleth 的后端,SAML 断言会返回到 Rancher,其中包括用于引用组的用户属性。然后,通过认证的用户将能够访问其所在的组有权访问的 Rancher 资源。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md index 145e327f3af0..9fbe04001f18 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md @@ -188,3 +188,7 @@ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.ke * 检查你的 Keycloak 日志。 * 如果日志显示 `request validation failed: org.keycloak.common.VerificationException: SigAlg was null`,请在 Keycloak 客户端中将 `Client Signature Required` 设为 `OFF`。 + +## Configuring SAML Single Logout (SLO) + + diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md index 4b9daebde825..0e9201e1f998 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md @@ -105,3 +105,7 @@ OpenLDAP ServiceAccount 用于所有搜索。无论用户个人的 SAML 权限 1. 在**用户和组搜索**下,选中**配置 OpenLDAP Server**。 如果你在测试与 OpenLDAP Server 的连接时遇到问题,请确保你输入了ServiceAccount 的凭证并正确配置了搜索库。你可以检查 Rancher 日志来查明根本原因。调试日志可能包含有关错误的更详细信息。请参阅[如何启用调试日志](../../../../faq/technical-items.md#如何启用调试日志记录)了解更多信息。 + +## Configuring SAML Single Logout (SLO) + + diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md index 0eebb8363c90..bfe1b8628621 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md @@ -60,3 +60,7 @@ title: 配置 PingIdentity (SAML) - 用户组下拉列表仅显示你所属的用户组。如果你不是某个组的成员,你将无法添加该组。 ::: + +## Configuring SAML Single Logout (SLO) + + diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md index 325f86ca45b9..b29f42313d84 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md @@ -51,3 +51,7 @@ title: 2. 在 Rancher 中配置 Microsoft AD FS ``` openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com" ``` + +## Configuring SAML Single Logout (SLO) + + diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md index fe0c5cde49bc..9056b1d91434 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md @@ -76,6 +76,10 @@ SAML 协议不支持用户或用户组的搜索或查找。因此,如果你没 要在 Rancher 中分配权限时启用搜索组,你需要为 SAML 身份认证服务配置支持组的后端(例如 OpenLDAP)。 +### Configuring SAML Single Logout (SLO) + + + # 在 Rancher 中设置 OpenLDAP 如果你将 OpenLDAP 配置为 Shibboleth 的后端,SAML 断言会返回到 Rancher,其中包括用于引用组的用户属性。然后,通过认证的用户将能够访问其所在的组有权访问的 Rancher 资源。 From 766d6053352dcb50e0b9e7a1c8ef9fc7b2861dfd Mon Sep 17 00:00:00 2001 From: Peter Matseykanets Date: Thu, 31 Oct 2024 13:23:23 -0400 Subject: [PATCH 14/29] Expand on Project Public API workflows --- docs/api/workflows/projects.md | 76 +++++++++++++++++++++++++++++++++- 1 file changed, 75 insertions(+), 1 deletion(-) diff --git a/docs/api/workflows/projects.md b/docs/api/workflows/projects.md index ea4b6fe66f39..1d6f6317c0d9 100644 --- a/docs/api/workflows/projects.md +++ b/docs/api/workflows/projects.md @@ -48,6 +48,9 @@ EOF ``` Setting the `field.cattle.io/creatorId` field allows the cluster member account to see project resources with the `get` command and view the project in the Rancher UI. Cluster owner and admin accounts don't need to set this annotation to perform these tasks. +Setting the `field.cattle.io/creator-principal-name` annotation to the user's principal preserves it in a projectroletemplatebinding automatically created for the project owner. + +If you don't want the creator to be added as the owner member (e.g. if the creator is a cluster administrator) to the project you may set the `field.cattle.io/no-creator-rbac` annotation to `true`, which will prevent the corresponding projectroletemplatebinding from being created. ### Creating a Project With a Resource Quota @@ -91,6 +94,77 @@ spec: limitsMemory: 100Mi requestsCpu: 50m requestsMemory: 50Mi +EOF +``` + +## Adding a Member to a Project + +Look up the project ID to specify the `metadata.namespace` field and `projectName` field values. + +```bash +kubectl --namespace c-m-abcde get projects +``` + +Look up the role template ID to specify the `roleTemplateName` field value (e.g. `project-member` or `project-owner`). + +```bash +kubectl get roletemplates +``` + +When adding a user member specify the `userPrincipalName` field: + +```bash +kubectl create -f - < Date: Fri, 1 Nov 2024 10:17:04 -0400 Subject: [PATCH 15/29] Add versioned docs --- .../version-2.10/api/workflows/projects.md | 76 ++++++++++++++++++- .../version-2.8/api/workflows/projects.md | 71 +++++++++++++++++ .../version-2.9/api/workflows/projects.md | 73 +++++++++++++++++- 3 files changed, 218 insertions(+), 2 deletions(-) diff --git a/versioned_docs/version-2.10/api/workflows/projects.md b/versioned_docs/version-2.10/api/workflows/projects.md index ea4b6fe66f39..1d6f6317c0d9 100644 --- a/versioned_docs/version-2.10/api/workflows/projects.md +++ b/versioned_docs/version-2.10/api/workflows/projects.md @@ -48,6 +48,9 @@ EOF ``` Setting the `field.cattle.io/creatorId` field allows the cluster member account to see project resources with the `get` command and view the project in the Rancher UI. Cluster owner and admin accounts don't need to set this annotation to perform these tasks. +Setting the `field.cattle.io/creator-principal-name` annotation to the user's principal preserves it in a projectroletemplatebinding automatically created for the project owner. + +If you don't want the creator to be added as the owner member (e.g. if the creator is a cluster administrator) to the project you may set the `field.cattle.io/no-creator-rbac` annotation to `true`, which will prevent the corresponding projectroletemplatebinding from being created. ### Creating a Project With a Resource Quota @@ -91,6 +94,77 @@ spec: limitsMemory: 100Mi requestsCpu: 50m requestsMemory: 50Mi +EOF +``` + +## Adding a Member to a Project + +Look up the project ID to specify the `metadata.namespace` field and `projectName` field values. + +```bash +kubectl --namespace c-m-abcde get projects +``` + +Look up the role template ID to specify the `roleTemplateName` field value (e.g. `project-member` or `project-owner`). + +```bash +kubectl get roletemplates +``` + +When adding a user member specify the `userPrincipalName` field: + +```bash +kubectl create -f - < Date: Wed, 6 Nov 2024 12:25:49 -0500 Subject: [PATCH 16/29] Add missing EOLs --- docs/api/workflows/projects.md | 1 + versioned_docs/version-2.10/api/workflows/projects.md | 1 + 2 files changed, 2 insertions(+) diff --git a/docs/api/workflows/projects.md b/docs/api/workflows/projects.md index 1d6f6317c0d9..7b7ced1e6d04 100644 --- a/docs/api/workflows/projects.md +++ b/docs/api/workflows/projects.md @@ -48,6 +48,7 @@ EOF ``` Setting the `field.cattle.io/creatorId` field allows the cluster member account to see project resources with the `get` command and view the project in the Rancher UI. Cluster owner and admin accounts don't need to set this annotation to perform these tasks. + Setting the `field.cattle.io/creator-principal-name` annotation to the user's principal preserves it in a projectroletemplatebinding automatically created for the project owner. If you don't want the creator to be added as the owner member (e.g. if the creator is a cluster administrator) to the project you may set the `field.cattle.io/no-creator-rbac` annotation to `true`, which will prevent the corresponding projectroletemplatebinding from being created. diff --git a/versioned_docs/version-2.10/api/workflows/projects.md b/versioned_docs/version-2.10/api/workflows/projects.md index 1d6f6317c0d9..7b7ced1e6d04 100644 --- a/versioned_docs/version-2.10/api/workflows/projects.md +++ b/versioned_docs/version-2.10/api/workflows/projects.md @@ -48,6 +48,7 @@ EOF ``` Setting the `field.cattle.io/creatorId` field allows the cluster member account to see project resources with the `get` command and view the project in the Rancher UI. Cluster owner and admin accounts don't need to set this annotation to perform these tasks. + Setting the `field.cattle.io/creator-principal-name` annotation to the user's principal preserves it in a projectroletemplatebinding automatically created for the project owner. If you don't want the creator to be added as the owner member (e.g. if the creator is a cluster administrator) to the project you may set the `field.cattle.io/no-creator-rbac` annotation to `true`, which will prevent the corresponding projectroletemplatebinding from being created. From 8aa0eeab27520b566f47cdf14b32549c153ff65b Mon Sep 17 00:00:00 2001 From: Venkata Krishna Rohit Sakala Date: Thu, 7 Nov 2024 08:25:47 -0800 Subject: [PATCH 17/29] Remove OPA Gatekeeper since it is deleted --- .../helm-charts-in-rancher/helm-charts-in-rancher.md | 1 - .../helm-charts-in-rancher/helm-charts-in-rancher.md | 1 - 2 files changed, 2 deletions(-) diff --git a/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index 728da0d4dc18..c6c1a02dc3b7 100644 --- a/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -53,7 +53,6 @@ To display prerelease versions: | rancher-alerting-drivers | 100.0.0 | 100.0.2 | | rancher-backup | 2.0.1 | 2.1.2 | | rancher-cis-benchmark | 2.0.1 | 2.0.4 | -| rancher-gatekeeper | 100.0.0+up3.6.0 | 100.1.0+up3.7.1 | | rancher-istio | 100.0.0+up1.10.4 | 100.3.0+up1.13.3 | | rancher-logging | 100.0.0+up3.12.0 | 100.1.2+up3.17.4 | | rancher-longhorn | 100.0.0+up1.1.2 | 100.1.2+up1.2.4 | diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index 84ae382badbb..6252aae94c47 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -53,7 +53,6 @@ To display prerelease versions: | rancher-alerting-drivers | 100.0.0 | 100.0.2 | | rancher-backup | 2.0.1 | 2.1.2 | | rancher-cis-benchmark | 2.0.1 | 2.0.4 | -| rancher-gatekeeper | 100.0.0+up3.6.0 | 100.1.0+up3.7.1 | | rancher-istio | 100.0.0+up1.10.4 | 100.3.0+up1.13.3 | | rancher-logging | 100.0.0+up3.12.0 | 100.1.2+up3.17.4 | | rancher-longhorn | 100.0.0+up1.1.2 | 100.1.2+up1.2.4 | From b9edf0d6ffe77039b34b7074a09520e44ccbff62 Mon Sep 17 00:00:00 2001 From: Venkata Krishna Rohit Sakala Date: Thu, 7 Nov 2024 08:30:02 -0800 Subject: [PATCH 18/29] Update rancher-istio supported versions --- .../helm-charts-in-rancher/helm-charts-in-rancher.md | 2 +- .../helm-charts-in-rancher/helm-charts-in-rancher.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index c6c1a02dc3b7..3ab3afc310f9 100644 --- a/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -53,7 +53,7 @@ To display prerelease versions: | rancher-alerting-drivers | 100.0.0 | 100.0.2 | | rancher-backup | 2.0.1 | 2.1.2 | | rancher-cis-benchmark | 2.0.1 | 2.0.4 | -| rancher-istio | 100.0.0+up1.10.4 | 100.3.0+up1.13.3 | +| rancher-istio | 105.0.0+up1.19.6 | 105.4.0+up1.23.2 | | rancher-logging | 100.0.0+up3.12.0 | 100.1.2+up3.17.4 | | rancher-longhorn | 100.0.0+up1.1.2 | 100.1.2+up1.2.4 | | rancher-monitoring | 100.0.0+up16.6.0 | 100.1.2+up19.0.3 | diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index 6252aae94c47..3e2964c3279d 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -53,7 +53,7 @@ To display prerelease versions: | rancher-alerting-drivers | 100.0.0 | 100.0.2 | | rancher-backup | 2.0.1 | 2.1.2 | | rancher-cis-benchmark | 2.0.1 | 2.0.4 | -| rancher-istio | 100.0.0+up1.10.4 | 100.3.0+up1.13.3 | +| rancher-istio | 105.0.0+up1.19.6 | 105.4.0+up1.23.2 | | rancher-logging | 100.0.0+up3.12.0 | 100.1.2+up3.17.4 | | rancher-longhorn | 100.0.0+up1.1.2 | 100.1.2+up1.2.4 | | rancher-monitoring | 100.0.0+up16.6.0 | 100.1.2+up19.0.3 | From 3b847a904f05f26409d15134d8c333a85dc76609 Mon Sep 17 00:00:00 2001 From: Sunil Singh Date: Thu, 7 Nov 2024 12:37:24 -0800 Subject: [PATCH 19/29] Adding note to SLO configuration file that the option is only available on auth providers that allow for SAML SLO. Signed-off-by: Sunil Singh --- docs/api/workflows/projects.md | 77 +++++++++++- .../installation-references/feature-flags.md | 6 +- .../configure-keycloak-saml.md | 4 + .../configure-okta-saml.md | 6 +- .../configure-pingidentity.md | 4 + .../configure-rancher-for-ms-adfs.md | 4 + .../configure-shibboleth-saml.md | 4 + .../pod-security-standards.md | 2 +- .../helm-charts-in-rancher.md | 38 +++++- .../manage-clusters/manage-clusters.md | 1 - .../integrations-in-rancher/opa-gatekeeper.md | 117 ------------------ .../disconnected-clusters.md | 19 --- .../rancher-managed-clusters.md | 4 - .../reference-guides/rancher-cluster-tools.md | 6 - docusaurus.config.js | 4 - .../configure-keycloak-saml.md | 4 + .../configure-okta-saml.md | 4 + .../configure-pingidentity.md | 4 + .../configure-rancher-for-ms-adfs.md | 4 + .../configure-shibboleth-saml.md | 4 + .../configure-keycloak-saml.md | 4 + .../configure-okta-saml.md | 4 + .../configure-pingidentity.md | 4 + .../configure-rancher-for-ms-adfs.md | 4 + .../configure-shibboleth-saml.md | 4 + .../pod-security-standards.md | 2 +- .../helm-charts-in-rancher.md | 46 +++++++ .../manage-clusters/manage-clusters.md | 1 - .../integrations-in-rancher/opa-gatekeeper.md | 111 ----------------- .../reference-guides/rancher-cluster-tools.md | 5 +- .../version-2.7/faq/deprecated-features.md | 1 - .../aws-cloud-marketplace/install-adapter.md | 1 - .../reference-guides/rancher-webhook.md | 1 - shared-files/_configure-slo.md | 16 +++ sidebars.js | 4 +- src/pages/versions.md | 12 +- src/theme/MDXComponents.js | 2 + .../version-2.10/api/workflows/projects.md | 77 +++++++++++- .../installation-references/feature-flags.md | 6 +- .../configure-keycloak-saml.md | 4 + .../configure-okta-saml.md | 6 +- .../configure-pingidentity.md | 4 + .../configure-rancher-for-ms-adfs.md | 4 + .../configure-shibboleth-saml.md | 4 + .../pod-security-standards.md | 2 +- .../helm-charts-in-rancher.md | 38 +++++- .../manage-clusters/manage-clusters.md | 1 - .../integrations-in-rancher/opa-gatekeeper.md | 117 ------------------ .../reference-guides/rancher-cluster-tools.md | 6 - .../version-2.7/faq/deprecated-features.md | 3 +- .../aws-cloud-marketplace/install-adapter.md | 1 - .../reference-guides/rancher-webhook.md | 1 - .../version-2.8/api/workflows/projects.md | 71 +++++++++++ .../version-2.9/api/workflows/projects.md | 73 ++++++++++- .../disconnected-clusters.md | 19 --- .../rancher-managed-clusters.md | 4 - versioned_sidebars/version-2.10-sidebars.json | 1 - versioned_sidebars/version-2.9-sidebars.json | 3 +- 58 files changed, 532 insertions(+), 451 deletions(-) delete mode 100644 docs/integrations-in-rancher/opa-gatekeeper.md delete mode 100644 docs/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md delete mode 100644 i18n/zh/docusaurus-plugin-content-docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md create mode 100644 shared-files/_configure-slo.md delete mode 100644 versioned_docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md delete mode 100644 versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md diff --git a/docs/api/workflows/projects.md b/docs/api/workflows/projects.md index ea4b6fe66f39..7b7ced1e6d04 100644 --- a/docs/api/workflows/projects.md +++ b/docs/api/workflows/projects.md @@ -49,6 +49,10 @@ EOF Setting the `field.cattle.io/creatorId` field allows the cluster member account to see project resources with the `get` command and view the project in the Rancher UI. Cluster owner and admin accounts don't need to set this annotation to perform these tasks. +Setting the `field.cattle.io/creator-principal-name` annotation to the user's principal preserves it in a projectroletemplatebinding automatically created for the project owner. + +If you don't want the creator to be added as the owner member (e.g. if the creator is a cluster administrator) to the project you may set the `field.cattle.io/no-creator-rbac` annotation to `true`, which will prevent the corresponding projectroletemplatebinding from being created. + ### Creating a Project With a Resource Quota Refer to [Kubernetes Resource Quota](https://kubernetes.io/docs/concepts/policy/resource-quotas/). @@ -91,6 +95,77 @@ spec: limitsMemory: 100Mi requestsCpu: 50m requestsMemory: 50Mi +EOF +``` + +## Adding a Member to a Project + +Look up the project ID to specify the `metadata.namespace` field and `projectName` field values. + +```bash +kubectl --namespace c-m-abcde get projects +``` + +Look up the role template ID to specify the `roleTemplateName` field value (e.g. `project-member` or `project-owner`). + +```bash +kubectl get roletemplates +``` + +When adding a user member specify the `userPrincipalName` field: + +```bash +kubectl create -f - < diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md index 1f601689bc11..0496237f3858 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md @@ -107,4 +107,8 @@ The OpenLDAP service account is used for all searches. Rancher users will see us 1. Click **Okta** or, if SAML is already configured, **Edit Config** 1. Under **User and Group Search**, check **Configure an OpenLDAP server** -If you experience issues when you test the connection to the OpenLDAP server, ensure that you entered the credentials for the service account and configured the search base correctly. Inspecting the Rancher logs can help pinpoint the root cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) for more information. \ No newline at end of file +If you experience issues when you test the connection to the OpenLDAP server, ensure that you entered the credentials for the service account and configured the search base correctly. Inspecting the Rancher logs can help pinpoint the root cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) for more information. + +## Configuring SAML Single Logout (SLO) + + diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md index e45d179881e5..6a40e9343f28 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md @@ -64,3 +64,7 @@ Note that these URLs will not return valid data until the authentication configu - The group drop-down shows only the groups that you are a member of. You will not be able to add groups that you are not a member of. ::: + +## Configuring SAML Single Logout (SLO) + + diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md index 492737803f5b..b2785bd83f0f 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md @@ -51,3 +51,7 @@ You can generate a certificate using an openssl command. For example: ``` openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com" ``` + +## Configuring SAML Single Logout (SLO) + + diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md index a57f4882050a..1480b024af9d 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md @@ -77,6 +77,10 @@ If you configure Shibboleth without OpenLDAP, the following caveats apply due to To enable searching for groups when assigning permissions in Rancher, you will need to configure a back end for the SAML provider that supports groups, such as OpenLDAP. +### Configuring SAML Single Logout (SLO) + + + ## Setting up OpenLDAP in Rancher If you also configure OpenLDAP as the back end to Shibboleth, it will return a SAML assertion to Rancher with user attributes that include groups. Then authenticated users will be able to access resources in Rancher that their groups have permissions for. diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md index 7b55b963fda3..5e8f2ee3b584 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md @@ -13,7 +13,7 @@ PSS define security levels for workloads. PSAs describe requirements for pod sec ## Upgrade to Pod Security Standards (PSS) -Ensure that you migrate all PSPs to another workload security mechanism. This includes mapping your current PSPs to Pod Security Standards for enforcement with the [PSA controller](https://kubernetes.io/docs/concepts/security/pod-security-admission/). If the PSA controller won't meet all of your organization's needs, we recommend that you use a policy engine, such as [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper), [Kubewarden](https://www.kubewarden.io/), [Kyverno](https://kyverno.io/), or [NeuVector](https://neuvector.com/). Refer to the documentation of your policy engine of choice for more information on how to migrate from PSPs. +Ensure that you migrate all PSPs to another workload security mechanism. This includes mapping your current PSPs to Pod Security Standards for enforcement with the [PSA controller](https://kubernetes.io/docs/concepts/security/pod-security-admission/). If the PSA controller won't meet all of your organization's needs, we recommend that you use a policy engine, such as [Kubewarden](https://www.kubewarden.io/), [Kyverno](https://kyverno.io/), or [NeuVector](https://neuvector.com/). Refer to the documentation of your policy engine of choice for more information on how to migrate from PSPs. :::caution You must add your new policy enforcement mechanisms _before_ you remove the PodSecurityPolicy objects. If you don't, you may create an opportunity for privilege escalation attacks within the cluster. diff --git a/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index 728da0d4dc18..8542096e1a16 100644 --- a/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -194,6 +194,42 @@ Non-Airgap Rancher installations upon refresh will reflect any chart repository Airgap installations where Rancher is configured to use the packaged copy of Helm system charts ([`useBundledSystemChart=true`](../../../getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install/install-rancher-ha.md#helm-chart-options-for-air-gap-installations)) will only refer to the [system-chart](https://github.com/rancher/system-charts) repository that comes bundled and will not be able to be refreshed or synced. +#### Refresh Interval + +Rancher v2.10.0 adds the `refreshInterval` field to the `ClusterRepo` CRD. The default value is 3600 seconds, meaning that Rancher syncs each Helm repository every 3600 seconds. + +To modify the refresh interval of a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to modify, and click **⋮ > Edit YAML**. +1. Set the **refreshInterval** field under **Spec** to the desired value in seconds. +1. Click **Save**. + +### Enable/Disable Helm Chart Repositories + +Rancher v2.10.0 adds the ability to enable and disable Helm repositories. Helm repositories are enabled by default. + +To disable a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to disable, and click **⋮ > Edit YAML**. +1. Set the **Enabled** field under **Spec** to **false**. +1. Click **Save**. +1. When you disable a repository, updates are disabled and new changes to the clusterRepo are not applied. + +To enable a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to disable, and click **⋮ > Edit YAML**. +1. Set the **Enabled** field under **Spec** to **true**. +1. Click **Save**. + ## Deploy and Upgrade Charts To install and deploy a chart: @@ -201,7 +237,7 @@ To install and deploy a chart: 1. Click **☰ > Cluster Management**. 1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. 1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Charts**. -1. Select a chart, and click **Install**. +1. Select a chart, and click **Install**. Rancher and Partner charts may have extra configurations available through custom pages or questions.yaml files. However, all chart installations can modify the values.yaml and other basic settings. After you click **Install**, a Helm operation job is deployed, and the console for the job is displayed. diff --git a/docs/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md b/docs/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md index eafa50faff9d..a694c2f77c2c 100644 --- a/docs/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md +++ b/docs/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md @@ -31,6 +31,5 @@ Rancher contains a variety of tools that aren't included in Kubernetes to assist - Logging - Monitoring - Istio Service Mesh -- OPA Gatekeeper Tools can be installed through **Apps.** diff --git a/docs/integrations-in-rancher/opa-gatekeeper.md b/docs/integrations-in-rancher/opa-gatekeeper.md deleted file mode 100644 index cea9732b36cd..000000000000 --- a/docs/integrations-in-rancher/opa-gatekeeper.md +++ /dev/null @@ -1,117 +0,0 @@ ---- -title: OPA Gatekeeper ---- - - - - - - - -To ensure consistency and compliance, every organization needs the ability to define and enforce policies in its environment in an automated way. [OPA (Open Policy Agent)](https://www.openpolicyagent.org/) is a policy engine that facilitates policy-based control for cloud native environments. Rancher provides the ability to enable OPA Gatekeeper in Kubernetes clusters, and also installs a couple of built-in policy definitions, which are also called constraint templates. - -OPA provides a high-level declarative language that lets you specify policy as code and ability to extend simple APIs to offload policy decision-making. - -[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is a project that provides integration between OPA and Kubernetes. OPA Gatekeeper provides: - -- An extensible, parameterized policy library. -- Native Kubernetes CRDs for instantiating the policy library, also called “constraints." -- Native Kubernetes CRDs for extending the policy library, also called "constraint templates." -- Audit functionality. - -To read more about OPA, please refer to the [official documentation.](https://www.openpolicyagent.org/docs/latest/) - -## How the OPA Gatekeeper Integration Works - -Kubernetes provides the ability to extend API server functionality via admission controller webhooks, which are invoked whenever a resource is created, updated or deleted. Gatekeeper is installed as a validating webhook and enforces policies defined by Kubernetes custom resource definitions. In addition to the admission control usage, Gatekeeper provides the capability to audit existing resources in Kubernetes clusters and mark current violations of enabled policies. - -OPA Gatekeeper is made available via Rancher's Helm system chart, and it is installed in a namespace named `gatekeeper-system.` - -## Enabling OPA Gatekeeper in a Cluster - -:::note - -In Rancher v2.5, the OPA Gatekeeper application was improved. The Rancher v2.4 feature can't be upgraded to the new version in Rancher v2.5. If you installed OPA Gatekeeper in Rancher v2.4, you will need to uninstall OPA Gatekeeper and its CRDs from the old UI, then reinstall it in Rancher v2.5. To uninstall the CRDs run the following command in the kubectl console `kubectl delete crd configs.config.gatekeeper.sh constrainttemplates.templates.gatekeeper.sh`. - -::: - -:::note Prerequisite: - -Only administrators and cluster owners can enable OPA Gatekeeper. - -::: - -The OPA Gatekeeper Helm chart can be installed from **Apps**. - -### Enabling OPA Gatekeeper - -1. In the upper left corner, click **☰ > Cluster Management**. -1. In the **Clusters** page, go to the cluster where you want to enable OPA Gatekeeper and click **Explore**. -1. In the left navigation bar, click **Apps**. -1. Click **Charts** and click **OPA Gatekeeper**. -1. Click **Install**. - -**Result:** OPA Gatekeeper is deployed in your Kubernetes cluster. - -## Constraint Templates - -[Constraint templates](https://github.com/open-policy-agent/gatekeeper#constraint-templates) are Kubernetes custom resources that define the schema and Rego logic of the OPA policy to be applied by Gatekeeper. For more information on the Rego policy language, refer to the [official documentation.](https://www.openpolicyagent.org/docs/latest/policy-language/) - -When OPA Gatekeeper is enabled, Rancher installs some templates by default. - -To list the constraint templates installed in the cluster, go to the left side menu under OPA Gatekeeper and click on **Templates**. - -Rancher also provides the ability to create your own constraint templates by importing YAML definitions. - -## Creating and Configuring Constraints - -[Constraints](https://github.com/open-policy-agent/gatekeeper#constraints) are Kubernetes custom resources that define the scope of objects to which a specific constraint template applies to. The complete policy is defined by constraint templates and constraints together. - -:::note Prerequisite: - -OPA Gatekeeper must be enabled in the cluster. - -::: - -To list the constraints installed, go to the left side menu under OPA Gatekeeper, and click on **Constraints**. - -New constraints can be created from a constraint template. - -Rancher provides the ability to create a constraint by using a convenient form that lets you input the various constraint fields. - -The **Edit as yaml** option is also available to configure the the constraint's yaml definition. - -### Exempting Rancher's System Namespaces from Constraints - -When a constraint is created, ensure that it does not apply to any Rancher or Kubernetes system namespaces. If the system namespaces are not excluded, then it is possible to see many resources under them marked as violations of the constraint. - -To limit the scope of the constraint only to user namespaces, always specify these namespaces under the **Match** field of the constraint. - -Also, the constraint may interfere with other Rancher functionality and deny system workloads from being deployed. To avoid this, exclude all Rancher-specific namespaces from your constraints. - -## Enforcing Constraints in your Cluster - -When the **Enforcement Action** is **Deny,** the constraint is immediately enabled and will deny any requests that violate the policy defined. By default, the enforcement value is **Deny**. - -When the **Enforcement Action** is **Dryrun,** then any resources that violate the policy are only recorded under the constraint's status field. - -To enforce constraints, create a constraint using the form. In the **Enforcement Action** field, choose **Deny**. - -## Audit and Violations in your Cluster - -OPA Gatekeeper runs a periodic audit to check if any existing resource violates any enforced constraint. The audit-interval (default 300s) can be configured while installing Gatekeeper. - -On the Gatekeeper page, any violations of the defined constraints are listed. - -Also under **Constraints,** the number of violations of the constraint can be found. - -The detail view of each constraint lists information about the resource that violated the constraint. - -## Disabling Gatekeeper - -1. Navigate to the cluster's Dashboard view -1. On the left side menu, expand the cluster menu and click on **OPA Gatekeeper**. -1. Click the **⋮ > Disable**. - -**Result:** Upon disabling OPA Gatekeeper, all constraint templates and constraints will also be deleted. - diff --git a/docs/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/docs/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md deleted file mode 100644 index c3c9b7a732df..000000000000 --- a/docs/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Best Practices for Disconnected Clusters ---- - - - - - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. - -While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. - -### Best Practices for Managing Disconnected Clusters - -- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. - -- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. - -- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/docs/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/docs/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index c0bdf07d88db..1e73af430af9 100644 --- a/docs/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/docs/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,10 +14,6 @@ Refer to [this guide](logging-best-practices.md) for our recommendations for clu Configuring sensible monitoring and alerting rules is vital for running any production workloads securely and reliably. Refer to this [guide](monitoring-best-practices.md) for our recommendations. -### Disconnected clusters - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. - ### Tips for Setting Up Containers Running well-built containers can greatly impact the overall performance and security of your environment. Refer to this [guide](tips-to-set-up-containers.md) for tips. diff --git a/docs/reference-guides/rancher-cluster-tools.md b/docs/reference-guides/rancher-cluster-tools.md index 4607ae590353..ad46fbdd9d25 100644 --- a/docs/reference-guides/rancher-cluster-tools.md +++ b/docs/reference-guides/rancher-cluster-tools.md @@ -42,12 +42,6 @@ Rancher's integration with Istio was improved in Rancher v2.5. For more information, refer to the Istio documentation [here.](../integrations-in-rancher/istio/istio.md) -## OPA Gatekeeper - - - -[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is an open-source project that provides integration between OPA and Kubernetes to provide policy control via admission controller webhooks. For details on how to enable Gatekeeper in Rancher, refer to the [OPA Gatekeeper section.](../integrations-in-rancher/opa-gatekeeper.md) - ## CIS Scans Rancher can run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark. diff --git a/docusaurus.config.js b/docusaurus.config.js index a3c0a1ae7a68..b65c0ed47129 100644 --- a/docusaurus.config.js +++ b/docusaurus.config.js @@ -2556,10 +2556,6 @@ module.exports = { to: '/integrations-in-rancher/neuvector', from: '/explanations/integrations-in-rancher/neuvector' }, - { - to: '/integrations-in-rancher/opa-gatekeeper', - from: '/explanations/integrations-in-rancher/opa-gatekeeper' - }, { to: '/v2.6/faq/general-faq', from: '/v2.6/faq' diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md index 145e327f3af0..9fbe04001f18 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md @@ -188,3 +188,7 @@ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.ke * 检查你的 Keycloak 日志。 * 如果日志显示 `request validation failed: org.keycloak.common.VerificationException: SigAlg was null`,请在 Keycloak 客户端中将 `Client Signature Required` 设为 `OFF`。 + +## Configuring SAML Single Logout (SLO) + + diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md index 4b9daebde825..0e9201e1f998 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md @@ -105,3 +105,7 @@ OpenLDAP ServiceAccount 用于所有搜索。无论用户个人的 SAML 权限 1. 在**用户和组搜索**下,选中**配置 OpenLDAP Server**。 如果你在测试与 OpenLDAP Server 的连接时遇到问题,请确保你输入了ServiceAccount 的凭证并正确配置了搜索库。你可以检查 Rancher 日志来查明根本原因。调试日志可能包含有关错误的更详细信息。请参阅[如何启用调试日志](../../../../faq/technical-items.md#如何启用调试日志记录)了解更多信息。 + +## Configuring SAML Single Logout (SLO) + + diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md index 0eebb8363c90..bfe1b8628621 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md @@ -60,3 +60,7 @@ title: 配置 PingIdentity (SAML) - 用户组下拉列表仅显示你所属的用户组。如果你不是某个组的成员,你将无法添加该组。 ::: + +## Configuring SAML Single Logout (SLO) + + diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md index 325f86ca45b9..b29f42313d84 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md @@ -51,3 +51,7 @@ title: 2. 在 Rancher 中配置 Microsoft AD FS ``` openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com" ``` + +## Configuring SAML Single Logout (SLO) + + diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md index fe0c5cde49bc..9056b1d91434 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md @@ -76,6 +76,10 @@ SAML 协议不支持用户或用户组的搜索或查找。因此,如果你没 要在 Rancher 中分配权限时启用搜索组,你需要为 SAML 身份认证服务配置支持组的后端(例如 OpenLDAP)。 +### Configuring SAML Single Logout (SLO) + + + # 在 Rancher 中设置 OpenLDAP 如果你将 OpenLDAP 配置为 Shibboleth 的后端,SAML 断言会返回到 Rancher,其中包括用于引用组的用户属性。然后,通过认证的用户将能够访问其所在的组有权访问的 Rancher 资源。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md index 145e327f3af0..9fbe04001f18 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md @@ -188,3 +188,7 @@ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.ke * 检查你的 Keycloak 日志。 * 如果日志显示 `request validation failed: org.keycloak.common.VerificationException: SigAlg was null`,请在 Keycloak 客户端中将 `Client Signature Required` 设为 `OFF`。 + +## Configuring SAML Single Logout (SLO) + + diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md index 4b9daebde825..0e9201e1f998 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md @@ -105,3 +105,7 @@ OpenLDAP ServiceAccount 用于所有搜索。无论用户个人的 SAML 权限 1. 在**用户和组搜索**下,选中**配置 OpenLDAP Server**。 如果你在测试与 OpenLDAP Server 的连接时遇到问题,请确保你输入了ServiceAccount 的凭证并正确配置了搜索库。你可以检查 Rancher 日志来查明根本原因。调试日志可能包含有关错误的更详细信息。请参阅[如何启用调试日志](../../../../faq/technical-items.md#如何启用调试日志记录)了解更多信息。 + +## Configuring SAML Single Logout (SLO) + + diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md index 0eebb8363c90..bfe1b8628621 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md @@ -60,3 +60,7 @@ title: 配置 PingIdentity (SAML) - 用户组下拉列表仅显示你所属的用户组。如果你不是某个组的成员,你将无法添加该组。 ::: + +## Configuring SAML Single Logout (SLO) + + diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md index 325f86ca45b9..b29f42313d84 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md @@ -51,3 +51,7 @@ title: 2. 在 Rancher 中配置 Microsoft AD FS ``` openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com" ``` + +## Configuring SAML Single Logout (SLO) + + diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md index fe0c5cde49bc..9056b1d91434 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md @@ -76,6 +76,10 @@ SAML 协议不支持用户或用户组的搜索或查找。因此,如果你没 要在 Rancher 中分配权限时启用搜索组,你需要为 SAML 身份认证服务配置支持组的后端(例如 OpenLDAP)。 +### Configuring SAML Single Logout (SLO) + + + # 在 Rancher 中设置 OpenLDAP 如果你将 OpenLDAP 配置为 Shibboleth 的后端,SAML 断言会返回到 Rancher,其中包括用于引用组的用户属性。然后,通过认证的用户将能够访问其所在的组有权访问的 Rancher 资源。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md index 7c16ac101924..75053324a0e1 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md @@ -9,7 +9,7 @@ PSS 定义了工作负载的安全级别。PSA 描述了 Pod 安全上下文和 ## 升级到 Pod 安全标准 (PSS) -确保将所有 PSP 都迁移到了另一个工作负载安全机制,包括将你当前的 PSP 映射到 Pod 安全标准,以便使用 [PSA 控制器](https://kubernetes.io/docs/concepts/security/pod-security-admission/)执行。如果 PSA 控制器不能满足企业的所有需求,建议你使用策略引擎,例如 [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper)、[Kubewarden](https://www.kubewarden.io/)、[Kyverno](https://kyverno.io/) 或 [NeuVector](https://neuvector.com/)。有关如何迁移 PSP 的更多信息,请参阅你选择的策略引擎的文档。 +确保将所有 PSP 都迁移到了另一个工作负载安全机制,包括将你当前的 PSP 映射到 Pod 安全标准,以便使用 [PSA 控制器](https://kubernetes.io/docs/concepts/security/pod-security-admission/)执行。如果 PSA 控制器不能满足企业的所有需求,建议你使用策略引擎,例如 [Kubewarden](https://www.kubewarden.io/)、[Kyverno](https://kyverno.io/) 或 [NeuVector](https://neuvector.com/)。有关如何迁移 PSP 的更多信息,请参阅你选择的策略引擎的文档。 :::caution 必须在删除 PodSecurityPolicy 对象_之前_添加新的策略执行机制。否则,你可能会为集群内的特权升级攻击创造机会。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index 48ecc783bee5..de3ce4d164ab 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -161,10 +161,56 @@ spec: ::: +### Add Custom OCI Chart Repositories + +:::caution + +This feature is currently experimental and is not officially supported in Rancher. + +::: + +Helm v3 introduced storing Helm charts as [Open Container Initiative (OCI)](https://opencontainers.org/about/overview/) artifacts in container registries. With Rancher v2.9.0, you can add [OCI-based Helm chart repositories](https://helm.sh/docs/topics/registries/) alongside HTTP-based and Git-based repositories. This means you can deploy apps that are stored as OCI artifacts. For more information, see [Using OCI Helm Chart Repositories](./oci-repositories.md). + ### Helm 兼容性 仅支持 Helm 3 兼容 Chart 。 +#### Refresh Interval + +Rancher v2.10.0 adds the `refreshInterval` field to the `ClusterRepo` CRD. The default value is 3600 seconds, meaning that Rancher syncs each Helm repository every 3600 seconds. + +To modify the refresh interval of a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to modify, and click **⋮ > Edit YAML**. +1. Set the **refreshInterval** field under **Spec** to the desired value in seconds. +1. Click **Save**. + +### Enable/Disable Helm Chart Repositories + +Rancher v2.10.0 adds the ability to enable and disable Helm repositories. Helm repositories are enabled by default. + +To disable a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to disable, and click **⋮ > Edit YAML**. +1. Set the **Enabled** field under **Spec** to **false**. +1. Click **Save**. +1. When you disable a repository, updates are disabled and new changes to the clusterRepo are not applied. + +To enable a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to disable, and click **⋮ > Edit YAML**. +1. Set the **Enabled** field under **Spec** to **true**. +1. Click **Save**. + ### 部署和升级 Chart 安装和部署 chart: diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md index a1c89025444f..c6de1117793a 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md @@ -31,6 +31,5 @@ Rancher 包含 Kubernetes 中未包含的各种工具来协助你进行 DevOps - Logging - Monitoring - Istio 服务网格 -- OPA Gatekeeper 你可以通过 **Apps** 来安装工具。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md deleted file mode 100644 index 41c91274c668..000000000000 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -title: OPA Gatekeeper ---- - -为了确保一致性和合规性,每个组织都需要能够以自动化的方式在环境中定义和执行策略。[OPA(Open Policy Agent)](https://www.openpolicyagent.org/) 是一个策略引擎,用于基于策略控制云原生环境。Rancher 支持在 Kubernetes 集群中启用 OPA Gatekeeper,并且还安装了一些内置的策略定义(也称为约束模板)。 - -OPA 提供了一种高级声明性语言,可以让你将策略指定为代码,还能扩展简单的 API,从而减轻策略决策的负担。 - -[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) 是一个提供 OPA 和 Kubernetes 集成的项目。OPA Gatekeeper 提供: - -- 一个可扩展的参数化策略库。 -- 用于实例化策略库的原生 Kubernetes CRD,也称为“约束”。 -- 用于扩展策略库的原生 Kubernetes CRD,也称为“约束模板”。 -- 审计功能。 - -要了解更多关于 OPA 的信息,请参阅[官方文档](https://www.openpolicyagent.org/docs/latest/)。 - -## OPA Gatekeeper 集成的工作原理 - -Kubernetes 支持通过准入控制器(准入控制器)webhook 来扩展 API Server 的功能,创建、更新或删除资源时都会调用这些 webhook。Gatekeeper 作为验证 webhook 安装,并执行由 Kubernetes CRD(Custom Resource Definition)定义的策略。除了使用准入控制之外,Gatekeeper 还能审计 Kubernetes 集群中的现有资源,并对违反当前策略的情况进行标记。 - -OPA Gatekeeper 由 Rancher 的 Helm system Chart 提供,它安装在名为 `gatekeeper-system` 的命名空间中。 - -## 在集群中启用 OPA Gatekeeper - -:::note - -Rancher 2.5 改进了 OPA Gatekeeper 应用。无法从 Rancher 2.4 升级到 Rancher 2.5 中的新版本。如果你在 Rancher 2.4 中安装了 OPA Gatekeeper,则需要在旧 UI 中卸载 OPA Gatekeeper 及其 CRD,然后在 Rancher 2.5 中重新安装它。如需卸载 CRD,请在 kubectl 控制台中运行 `kubectl delete crd configs.config.gatekeeper.sh constrainttemplates.templates.gatekeeper.sh` 命令。 - -::: - -:::note 先决条件: - -只有管理员和集群所有者才能启用 OPA Gatekeeper。 - -::: - -你可以在 **Apps** 页面安装 OPA Gatekeeper Helm Chart。 - -### 启用 OPA Gatekeeper - -1. 在左上角,单击 **☰ > 集群管理**。 -1. 在**集群**页面中,转到要启用 OPA Gatekeeper 的集群,然后单击 **Explore**。 -1. 在左侧导航栏中,点击 **Apps**。 -1. 点击 **Charts** 并点击 **OPA Gatekeeper**。 -1. 单击**安装**。 - -**结果**:已将 OPA Gatekeeper 部署到你的 Kubernetes 集群。 - -## 约束模板 - -[约束模板](https://github.com/open-policy-agent/gatekeeper#constraint-templates)是 Kubernetes 自定义资源,用于定义要由 Gatekeeper 应用的 OPA 策略的架构和 Rego 逻辑。有关 Rego 策略语言的更多信息,请参阅[官方文档](https://www.openpolicyagent.org/docs/latest/policy-language/)。 - -启用 OPA Gatekeeper 后,Rancher 默认会安装一些模板。 - -要列出集群中安装的约束模板,请转到 OPA Gatekeeper 下的左侧菜单,然后单击**模板**。 - -Rancher 还支持通过导入 YAML 定义来创建你自己的约束模板。 - -## 创建和配置约束 - -[约束](https://github.com/open-policy-agent/gatekeeper#constraints)是 Kubernetes 自定义资源,用于定义要应用约束模板的对象范围。约束模板和约束共同定义一个完整的策略。 - -:::note 先决条件: - -集群中已启用 OPA Gatekeeper。 - -::: - -要列出已安装的约束,请转到 OPA Gatekeeper 下的左侧菜单,然后单击**约束**。 - -可以从约束模板创建新的约束。 - -Rancher 支持通过使用方便的表单来创建约束,你可以在该表单中输入各种约束字段。 - -**以 YAML 文件编辑**选项也可以用于配置约束的 YAML 定义。 - -### 使 Rancher 的 System 命名空间不受约束 - -创建约束时,请确保该约束不应用于任何 Rancher 或 Kubernetes System 命名空间。如果不排除 System 命名空间,则可能会出现 system 命名空间下的许多资源被标记为违反约束。 - -要让约束仅限制用户命名空间,请在约束的**匹配**字段下指定这些命名空间。 - -此外,该约束可能会干扰其他 Rancher 功能并拒绝部署系统工作负载。为避免这种情况,请从你的约束中排除所有 Rancher 特定的命名空间。 - -## 在集群中实施约束 - -如果**执行动作**为 **Deny**,约束会立即启用,并拒绝任何违反策略的请求。默认情况下,执行的值为 **Deny**。 - -如果**执行动作** 为 **Dryrun**,违反策略的资源仅会记录在约束的状态字段中。 - -要强制执行约束,请使用表单创建约束。在**执行动作**字段中,选择 **Deny**。 - -## 集群中的审计和违规 - -OPA Gatekeeper 运行定期审计,以检查现有资源是否违反强制执行的约束。你可以在安装 Gatekeeper 时配置审计间隔(默认 300 秒)。 - -Gatekeeper 页面上列出了违反已定义的约束的情况。 - -此外,你也可以在**约束**页面中找到违反约束的数量。 - -每个约束的详细信息视图列出了违反约束的资源的信息。 - -## 禁用 Gatekeeper - -1. 导航到集群的仪表板视图。 -1. 在左侧菜单中,展开集群菜单并单击 **OPA Gatekeeper**。 -1. 单击 **⋮ > 禁用**。 - -**结果**:禁用 OPA Gatekeeper 后,所有约束模板和约束也将被删除。 - diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/rancher-cluster-tools.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/rancher-cluster-tools.md index e454be93e768..29a448f3a1f6 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/rancher-cluster-tools.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/rancher-cluster-tools.md @@ -4,7 +4,6 @@ title: 集群工具:Logging,Monitoring 和可视化 Rancher 包含 Kubernetes 中未包含的各种工具来协助你进行 DevOps 操作。Rancher 可以与外部服务集成,让你的集群更高效地运行。工具分为以下几类: - ## Logging Logging 支持: @@ -18,6 +17,7 @@ Logging 支持: Rancher 可以与 Elasticsearch、splunk、kafka、syslog 和 fluentd 集成。 有关详细信息,请参阅 [Logging 文档](../integrations-in-rancher/logging/logging.md)。 + ## 监控和告警 你可以使用 Rancher,通过业界领先并开源的 [Prometheus](https://prometheus.io/) 来监控集群节点、Kubernetes 组件和软件部署的状态和进程。 @@ -37,9 +37,6 @@ Rancher 可以与 Elasticsearch、splunk、kafka、syslog 和 fluentd 集成。 Rancher v2.5 改进了与 Istio 的集成。 如需更多信息,请参阅 [Istio 文档](..//integrations-in-rancher/istio/istio.md)。 -## OPA Gatekeeper - -[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) 是一个开源项目,它对 OPA 和 Kubernetes 进行了集成,以通过许可控制器 Webhook 提供策略控制。有关如何在 Rancher 中启用 Gatekeeper 的详细信息,请参阅 [OPA Gatekeeper](../integrations-in-rancher/opa-gatekeeper.md)。 ## CIS 扫描 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/faq/deprecated-features.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/faq/deprecated-features.md index e2bb53eddc88..267488febfa0 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/faq/deprecated-features.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/faq/deprecated-features.md @@ -16,7 +16,6 @@ Rancher 将在 GitHub 上发布的 Rancher 的[发版说明](https://github.com/ | Patch Version | Release Date | | ----------------------------------------------------------------- | -------------------| -| [2.7.17](https://github.com/rancher/rancher/releases/tag/v2.7.17) | 2024 年 11 月 05 日 | | [2.7.16](https://github.com/rancher/rancher/releases/tag/v2.7.16) | 2024 年 10 月 24 日 | | [2.7.15](https://github.com/rancher/rancher/releases/tag/v2.7.15) | 2024 年 7 月 31 日 | | [2.7.14](https://github.com/rancher/rancher/releases/tag/v2.7.14) | 2024 年 6 月 17 日 | diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md index 0439b0554d8e..268352f336b5 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md @@ -19,7 +19,6 @@ title: 安装 Adapter | Rancher 版本 | Adapter 版本 | | ------------ | :----------: | -| v2.7.17 | v2.0.4 | | v2.7.16 | v2.0.4 | | v2.7.15 | v2.0.4 | | v2.7.14 | v2.0.4 | diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/rancher-webhook.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/rancher-webhook.md index fe651722787e..b60bf42ee33a 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/rancher-webhook.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/rancher-webhook.md @@ -20,7 +20,6 @@ Rancher 将 Rancher-Webhook 作为单独的 deployment 和服务部署在 local | Rancher Version | Webhook Version | Availability in Prime | Availability in Community | |-----------------|-----------------|-----------------------|---------------------------| -| v2.7.17 | v0.3.13 | ✓ | N/A | | v2.7.16 | v0.3.12 | ✓ | N/A | | v2.7.15 | v0.3.11 | ✓ | N/A | | v2.7.14 | v0.3.11 | ✓ | N/A | diff --git a/shared-files/_configure-slo.md b/shared-files/_configure-slo.md new file mode 100644 index 000000000000..4e6c59c6f53e --- /dev/null +++ b/shared-files/_configure-slo.md @@ -0,0 +1,16 @@ +Rancher supports the ability to configure SAML SLO. Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. The steps below outline configuration from the application GUI: + +:::note +The **Log Out behavior** configuration section only appears if the SAML authentication provider allows for `SAML SLO`. +::: + +1. Sign in to Rancher using a standard user or an administrator role to configure SAML SLO. +1. In the top left corner, click **☰ > Users & Authentication**. +1. In the left navigation menu, click **Auth Provider**. +1. Under the section **Log Out behavior**, choose the appropriate SLO setting as described below: + + | Setting | Description | + | ------------------------- | ----------------------------------------------------------------------------- | + | Log out of Rancher and not authentication provider | Choosing this option will only logout the Rancher application and not external authentication providers. | + | Log out of Rancher and authentication provider (includes all other applications registered with authentication provider) | Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider. | + | Allow the user to choose one of the above in an additional log out step | Choosing this option presents users with a choice of logout method as described above. | diff --git a/sidebars.js b/sidebars.js index 9cdc5eab27bd..12a6e77233ef 100644 --- a/sidebars.js +++ b/sidebars.js @@ -845,8 +845,7 @@ const sidebars = { "reference-guides/best-practices/rancher-managed-clusters/logging-best-practices", "reference-guides/best-practices/rancher-managed-clusters/monitoring-best-practices", "reference-guides/best-practices/rancher-managed-clusters/tips-to-set-up-containers", - "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere", - "reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters" + "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere" ] } ] @@ -1293,7 +1292,6 @@ const sidebars = { "integrations-in-rancher/monitoring-and-alerting/promql-expressions", ] }, - "integrations-in-rancher/opa-gatekeeper", "integrations-in-rancher/rancher-extensions", ] }, diff --git a/src/pages/versions.md b/src/pages/versions.md index 358b424f7d24..05899853f5a5 100644 --- a/src/pages/versions.md +++ b/src/pages/versions.md @@ -60,9 +60,9 @@ Here you can find links to supporting documentation for the current released ver Community - v2.7.17 + v2.7.16 Documentation - Release Notes + Release Notes
N/A
N/A
@@ -208,14 +208,6 @@ Here you can find links to supporting documentation for previous versions of Ran Prime Community - - v2.7.16 - Documentation - Release Notes -
N/A
-
-
N/A
- v2.7.15 Documentation diff --git a/src/theme/MDXComponents.js b/src/theme/MDXComponents.js index b5ef8bfde0f5..96351a571700 100644 --- a/src/theme/MDXComponents.js +++ b/src/theme/MDXComponents.js @@ -11,6 +11,7 @@ import DeprecationOPAGatekeeper from '/shared-files/_deprecation-opa-gatekeeper. import DeprecationWeave from '/shared-files/_deprecation-weave.md'; import DeprecationHelm2 from '/shared-files/_deprecation-helm2.md'; import DockerSupportWarning from '/shared-files/_docker-support-warning.md'; +import ConfigureSLO from '/shared-files/_configure-slo.md'; export default { // Re-use the default mapping @@ -23,6 +24,7 @@ export default { Card, CNIPopularityTable, + ConfigureSLO, DeprecationOPAGatekeeper, DeprecationWeave, DeprecationHelm2, diff --git a/versioned_docs/version-2.10/api/workflows/projects.md b/versioned_docs/version-2.10/api/workflows/projects.md index ea4b6fe66f39..7b7ced1e6d04 100644 --- a/versioned_docs/version-2.10/api/workflows/projects.md +++ b/versioned_docs/version-2.10/api/workflows/projects.md @@ -49,6 +49,10 @@ EOF Setting the `field.cattle.io/creatorId` field allows the cluster member account to see project resources with the `get` command and view the project in the Rancher UI. Cluster owner and admin accounts don't need to set this annotation to perform these tasks. +Setting the `field.cattle.io/creator-principal-name` annotation to the user's principal preserves it in a projectroletemplatebinding automatically created for the project owner. + +If you don't want the creator to be added as the owner member (e.g. if the creator is a cluster administrator) to the project you may set the `field.cattle.io/no-creator-rbac` annotation to `true`, which will prevent the corresponding projectroletemplatebinding from being created. + ### Creating a Project With a Resource Quota Refer to [Kubernetes Resource Quota](https://kubernetes.io/docs/concepts/policy/resource-quotas/). @@ -91,6 +95,77 @@ spec: limitsMemory: 100Mi requestsCpu: 50m requestsMemory: 50Mi +EOF +``` + +## Adding a Member to a Project + +Look up the project ID to specify the `metadata.namespace` field and `projectName` field values. + +```bash +kubectl --namespace c-m-abcde get projects +``` + +Look up the role template ID to specify the `roleTemplateName` field value (e.g. `project-member` or `project-owner`). + +```bash +kubectl get roletemplates +``` + +When adding a user member specify the `userPrincipalName` field: + +```bash +kubectl create -f - < diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md index 1f601689bc11..0496237f3858 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md @@ -107,4 +107,8 @@ The OpenLDAP service account is used for all searches. Rancher users will see us 1. Click **Okta** or, if SAML is already configured, **Edit Config** 1. Under **User and Group Search**, check **Configure an OpenLDAP server** -If you experience issues when you test the connection to the OpenLDAP server, ensure that you entered the credentials for the service account and configured the search base correctly. Inspecting the Rancher logs can help pinpoint the root cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) for more information. \ No newline at end of file +If you experience issues when you test the connection to the OpenLDAP server, ensure that you entered the credentials for the service account and configured the search base correctly. Inspecting the Rancher logs can help pinpoint the root cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) for more information. + +## Configuring SAML Single Logout (SLO) + + diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md index e45d179881e5..6a40e9343f28 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md @@ -64,3 +64,7 @@ Note that these URLs will not return valid data until the authentication configu - The group drop-down shows only the groups that you are a member of. You will not be able to add groups that you are not a member of. ::: + +## Configuring SAML Single Logout (SLO) + + diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md index 492737803f5b..b2785bd83f0f 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md @@ -51,3 +51,7 @@ You can generate a certificate using an openssl command. For example: ``` openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com" ``` + +## Configuring SAML Single Logout (SLO) + + diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md index a57f4882050a..1480b024af9d 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md @@ -77,6 +77,10 @@ If you configure Shibboleth without OpenLDAP, the following caveats apply due to To enable searching for groups when assigning permissions in Rancher, you will need to configure a back end for the SAML provider that supports groups, such as OpenLDAP. +### Configuring SAML Single Logout (SLO) + + + ## Setting up OpenLDAP in Rancher If you also configure OpenLDAP as the back end to Shibboleth, it will return a SAML assertion to Rancher with user attributes that include groups. Then authenticated users will be able to access resources in Rancher that their groups have permissions for. diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md index 7b55b963fda3..5e8f2ee3b584 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md @@ -13,7 +13,7 @@ PSS define security levels for workloads. PSAs describe requirements for pod sec ## Upgrade to Pod Security Standards (PSS) -Ensure that you migrate all PSPs to another workload security mechanism. This includes mapping your current PSPs to Pod Security Standards for enforcement with the [PSA controller](https://kubernetes.io/docs/concepts/security/pod-security-admission/). If the PSA controller won't meet all of your organization's needs, we recommend that you use a policy engine, such as [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper), [Kubewarden](https://www.kubewarden.io/), [Kyverno](https://kyverno.io/), or [NeuVector](https://neuvector.com/). Refer to the documentation of your policy engine of choice for more information on how to migrate from PSPs. +Ensure that you migrate all PSPs to another workload security mechanism. This includes mapping your current PSPs to Pod Security Standards for enforcement with the [PSA controller](https://kubernetes.io/docs/concepts/security/pod-security-admission/). If the PSA controller won't meet all of your organization's needs, we recommend that you use a policy engine, such as [Kubewarden](https://www.kubewarden.io/), [Kyverno](https://kyverno.io/), or [NeuVector](https://neuvector.com/). Refer to the documentation of your policy engine of choice for more information on how to migrate from PSPs. :::caution You must add your new policy enforcement mechanisms _before_ you remove the PodSecurityPolicy objects. If you don't, you may create an opportunity for privilege escalation attacks within the cluster. diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index 84ae382badbb..3899b363f8ab 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -194,6 +194,42 @@ Non-Airgap Rancher installations upon refresh will reflect any chart repository Airgap installations where Rancher is configured to use the packaged copy of Helm system charts ([`useBundledSystemChart=true`](../../../getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install/install-rancher-ha.md#helm-chart-options-for-air-gap-installations)) will only refer to the [system-chart](https://github.com/rancher/system-charts) repository that comes bundled and will not be able to be refreshed or synced. +#### Refresh Interval + +Rancher v2.10.0 adds the `refreshInterval` field to the `ClusterRepo` CRD. The default value is 3600 seconds, meaning that Rancher syncs each Helm repository every 3600 seconds. + +To modify the refresh interval of a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to modify, and click **⋮ > Edit YAML**. +1. Set the **refreshInterval** field under **Spec** to the desired value in seconds. +1. Click **Save**. + +### Enable/Disable Helm Chart Repositories + +Rancher v2.10.0 adds the ability to enable and disable Helm repositories. Helm repositories are enabled by default. + +To disable a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to disable, and click **⋮ > Edit YAML**. +1. Set the **Enabled** field under **Spec** to **false**. +1. Click **Save**. +1. When you disable a repository, updates are disabled and new changes to the clusterRepo are not applied. + +To enable a chart repository: + +1. Click **☰ > Cluster Management**. +1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. +1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. +1. Find the repository you want to disable, and click **⋮ > Edit YAML**. +1. Set the **Enabled** field under **Spec** to **true**. +1. Click **Save**. + ## Deploy and Upgrade Charts To install and deploy a chart: @@ -201,7 +237,7 @@ To install and deploy a chart: 1. Click **☰ > Cluster Management**. 1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. 1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Charts**. -1. Select a chart, and click **Install**. +1. Select a chart, and click **Install**. Rancher and Partner charts may have extra configurations available through custom pages or questions.yaml files. However, all chart installations can modify the values.yaml and other basic settings. After you click **Install**, a Helm operation job is deployed, and the console for the job is displayed. diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md index eafa50faff9d..a694c2f77c2c 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md @@ -31,6 +31,5 @@ Rancher contains a variety of tools that aren't included in Kubernetes to assist - Logging - Monitoring - Istio Service Mesh -- OPA Gatekeeper Tools can be installed through **Apps.** diff --git a/versioned_docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md b/versioned_docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md deleted file mode 100644 index cea9732b36cd..000000000000 --- a/versioned_docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md +++ /dev/null @@ -1,117 +0,0 @@ ---- -title: OPA Gatekeeper ---- - - - - - - - -To ensure consistency and compliance, every organization needs the ability to define and enforce policies in its environment in an automated way. [OPA (Open Policy Agent)](https://www.openpolicyagent.org/) is a policy engine that facilitates policy-based control for cloud native environments. Rancher provides the ability to enable OPA Gatekeeper in Kubernetes clusters, and also installs a couple of built-in policy definitions, which are also called constraint templates. - -OPA provides a high-level declarative language that lets you specify policy as code and ability to extend simple APIs to offload policy decision-making. - -[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is a project that provides integration between OPA and Kubernetes. OPA Gatekeeper provides: - -- An extensible, parameterized policy library. -- Native Kubernetes CRDs for instantiating the policy library, also called “constraints." -- Native Kubernetes CRDs for extending the policy library, also called "constraint templates." -- Audit functionality. - -To read more about OPA, please refer to the [official documentation.](https://www.openpolicyagent.org/docs/latest/) - -## How the OPA Gatekeeper Integration Works - -Kubernetes provides the ability to extend API server functionality via admission controller webhooks, which are invoked whenever a resource is created, updated or deleted. Gatekeeper is installed as a validating webhook and enforces policies defined by Kubernetes custom resource definitions. In addition to the admission control usage, Gatekeeper provides the capability to audit existing resources in Kubernetes clusters and mark current violations of enabled policies. - -OPA Gatekeeper is made available via Rancher's Helm system chart, and it is installed in a namespace named `gatekeeper-system.` - -## Enabling OPA Gatekeeper in a Cluster - -:::note - -In Rancher v2.5, the OPA Gatekeeper application was improved. The Rancher v2.4 feature can't be upgraded to the new version in Rancher v2.5. If you installed OPA Gatekeeper in Rancher v2.4, you will need to uninstall OPA Gatekeeper and its CRDs from the old UI, then reinstall it in Rancher v2.5. To uninstall the CRDs run the following command in the kubectl console `kubectl delete crd configs.config.gatekeeper.sh constrainttemplates.templates.gatekeeper.sh`. - -::: - -:::note Prerequisite: - -Only administrators and cluster owners can enable OPA Gatekeeper. - -::: - -The OPA Gatekeeper Helm chart can be installed from **Apps**. - -### Enabling OPA Gatekeeper - -1. In the upper left corner, click **☰ > Cluster Management**. -1. In the **Clusters** page, go to the cluster where you want to enable OPA Gatekeeper and click **Explore**. -1. In the left navigation bar, click **Apps**. -1. Click **Charts** and click **OPA Gatekeeper**. -1. Click **Install**. - -**Result:** OPA Gatekeeper is deployed in your Kubernetes cluster. - -## Constraint Templates - -[Constraint templates](https://github.com/open-policy-agent/gatekeeper#constraint-templates) are Kubernetes custom resources that define the schema and Rego logic of the OPA policy to be applied by Gatekeeper. For more information on the Rego policy language, refer to the [official documentation.](https://www.openpolicyagent.org/docs/latest/policy-language/) - -When OPA Gatekeeper is enabled, Rancher installs some templates by default. - -To list the constraint templates installed in the cluster, go to the left side menu under OPA Gatekeeper and click on **Templates**. - -Rancher also provides the ability to create your own constraint templates by importing YAML definitions. - -## Creating and Configuring Constraints - -[Constraints](https://github.com/open-policy-agent/gatekeeper#constraints) are Kubernetes custom resources that define the scope of objects to which a specific constraint template applies to. The complete policy is defined by constraint templates and constraints together. - -:::note Prerequisite: - -OPA Gatekeeper must be enabled in the cluster. - -::: - -To list the constraints installed, go to the left side menu under OPA Gatekeeper, and click on **Constraints**. - -New constraints can be created from a constraint template. - -Rancher provides the ability to create a constraint by using a convenient form that lets you input the various constraint fields. - -The **Edit as yaml** option is also available to configure the the constraint's yaml definition. - -### Exempting Rancher's System Namespaces from Constraints - -When a constraint is created, ensure that it does not apply to any Rancher or Kubernetes system namespaces. If the system namespaces are not excluded, then it is possible to see many resources under them marked as violations of the constraint. - -To limit the scope of the constraint only to user namespaces, always specify these namespaces under the **Match** field of the constraint. - -Also, the constraint may interfere with other Rancher functionality and deny system workloads from being deployed. To avoid this, exclude all Rancher-specific namespaces from your constraints. - -## Enforcing Constraints in your Cluster - -When the **Enforcement Action** is **Deny,** the constraint is immediately enabled and will deny any requests that violate the policy defined. By default, the enforcement value is **Deny**. - -When the **Enforcement Action** is **Dryrun,** then any resources that violate the policy are only recorded under the constraint's status field. - -To enforce constraints, create a constraint using the form. In the **Enforcement Action** field, choose **Deny**. - -## Audit and Violations in your Cluster - -OPA Gatekeeper runs a periodic audit to check if any existing resource violates any enforced constraint. The audit-interval (default 300s) can be configured while installing Gatekeeper. - -On the Gatekeeper page, any violations of the defined constraints are listed. - -Also under **Constraints,** the number of violations of the constraint can be found. - -The detail view of each constraint lists information about the resource that violated the constraint. - -## Disabling Gatekeeper - -1. Navigate to the cluster's Dashboard view -1. On the left side menu, expand the cluster menu and click on **OPA Gatekeeper**. -1. Click the **⋮ > Disable**. - -**Result:** Upon disabling OPA Gatekeeper, all constraint templates and constraints will also be deleted. - diff --git a/versioned_docs/version-2.10/reference-guides/rancher-cluster-tools.md b/versioned_docs/version-2.10/reference-guides/rancher-cluster-tools.md index 4607ae590353..ad46fbdd9d25 100644 --- a/versioned_docs/version-2.10/reference-guides/rancher-cluster-tools.md +++ b/versioned_docs/version-2.10/reference-guides/rancher-cluster-tools.md @@ -42,12 +42,6 @@ Rancher's integration with Istio was improved in Rancher v2.5. For more information, refer to the Istio documentation [here.](../integrations-in-rancher/istio/istio.md) -## OPA Gatekeeper - - - -[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is an open-source project that provides integration between OPA and Kubernetes to provide policy control via admission controller webhooks. For details on how to enable Gatekeeper in Rancher, refer to the [OPA Gatekeeper section.](../integrations-in-rancher/opa-gatekeeper.md) - ## CIS Scans Rancher can run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark. diff --git a/versioned_docs/version-2.7/faq/deprecated-features.md b/versioned_docs/version-2.7/faq/deprecated-features.md index 6a0710dd106c..3d46bcdaeeb1 100644 --- a/versioned_docs/version-2.7/faq/deprecated-features.md +++ b/versioned_docs/version-2.7/faq/deprecated-features.md @@ -16,8 +16,7 @@ Rancher will publish deprecated features as part of the [release notes](https:// | Patch Version | Release Date | |---------------|---------------| -| [2.7.17](https://github.com/rancher/rancher/releases/tag/v2.7.17) | Nov 5, 2024 | -| [2.7.16](https://github.com/rancher/rancher/releases/tag/v2.7.16) | Oct 24, 2024 | +| [2.7.16](https://github.com/rancher/rancher/releases/tag/v2.7.16) | Oct 24, 2024 | | [2.7.15](https://github.com/rancher/rancher/releases/tag/v2.7.15) | July 31, 2024 | | [2.7.14](https://github.com/rancher/rancher/releases/tag/v2.7.14) | June 17, 2024 | | [2.7.13](https://github.com/rancher/rancher/releases/tag/v2.7.13) | May 16, 2024 | diff --git a/versioned_docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md b/versioned_docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md index 376630d7fcd9..56e32b3c4741 100644 --- a/versioned_docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md +++ b/versioned_docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md @@ -19,7 +19,6 @@ In order to deploy and run the adapter successfully, you need to ensure its vers | Rancher Version | Adapter Version | |-----------------|:---------------:| -| v2.7.17 | v2.0.4 | | v2.7.16 | v2.0.4 | | v2.7.15 | v2.0.4 | | v2.7.14 | v2.0.4 | diff --git a/versioned_docs/version-2.7/reference-guides/rancher-webhook.md b/versioned_docs/version-2.7/reference-guides/rancher-webhook.md index 66eaa5b3c4f9..eda9e52c1fd1 100644 --- a/versioned_docs/version-2.7/reference-guides/rancher-webhook.md +++ b/versioned_docs/version-2.7/reference-guides/rancher-webhook.md @@ -20,7 +20,6 @@ Each Rancher version is designed to be compatible with a single version of the w | Rancher Version | Webhook Version | Availability in Prime | Availability in Community | |-----------------|-----------------|-----------------------|---------------------------| -| v2.7.17 | v0.3.13 | ✓ | N/A | | v2.7.16 | v0.3.12 | ✓ | N/A | | v2.7.15 | v0.3.11 | ✓ | N/A | | v2.7.14 | v0.3.11 | ✓ | N/A | diff --git a/versioned_docs/version-2.8/api/workflows/projects.md b/versioned_docs/version-2.8/api/workflows/projects.md index 33c6f27c4b43..d811132828a8 100644 --- a/versioned_docs/version-2.8/api/workflows/projects.md +++ b/versioned_docs/version-2.8/api/workflows/projects.md @@ -91,6 +91,77 @@ spec: limitsMemory: 100Mi requestsCpu: 50m requestsMemory: 50Mi +EOF +``` + +## Adding a Member to a Project + +Look up the project ID to specify the `metadata.namespace` field and `projectName` field values. + +```bash +kubectl --namespace c-m-abcde get projects +``` + +Look up the role template ID to specify the `roleTemplateName` field value (e.g. `project-member` or `project-owner`). + +```bash +kubectl get roletemplates +``` + +When adding a user member specify the `userPrincipalName` field: + +```bash +kubectl create -f - < - - - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. - -While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. - -### Best Practices for Managing Disconnected Clusters - -- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. - -- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. - -- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index c0bdf07d88db..1e73af430af9 100644 --- a/versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,10 +14,6 @@ Refer to [this guide](logging-best-practices.md) for our recommendations for clu Configuring sensible monitoring and alerting rules is vital for running any production workloads securely and reliably. Refer to this [guide](monitoring-best-practices.md) for our recommendations. -### Disconnected clusters - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. - ### Tips for Setting Up Containers Running well-built containers can greatly impact the overall performance and security of your environment. Refer to this [guide](tips-to-set-up-containers.md) for tips. diff --git a/versioned_sidebars/version-2.10-sidebars.json b/versioned_sidebars/version-2.10-sidebars.json index 072459e52284..7af1666eee9d 100644 --- a/versioned_sidebars/version-2.10-sidebars.json +++ b/versioned_sidebars/version-2.10-sidebars.json @@ -1253,7 +1253,6 @@ "integrations-in-rancher/monitoring-and-alerting/promql-expressions" ] }, - "integrations-in-rancher/opa-gatekeeper", "integrations-in-rancher/rancher-extensions" ] }, diff --git a/versioned_sidebars/version-2.9-sidebars.json b/versioned_sidebars/version-2.9-sidebars.json index 05fe81be8513..072459e52284 100644 --- a/versioned_sidebars/version-2.9-sidebars.json +++ b/versioned_sidebars/version-2.9-sidebars.json @@ -809,8 +809,7 @@ "reference-guides/best-practices/rancher-managed-clusters/logging-best-practices", "reference-guides/best-practices/rancher-managed-clusters/monitoring-best-practices", "reference-guides/best-practices/rancher-managed-clusters/tips-to-set-up-containers", - "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere", - "reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters" + "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere" ] } ] From 1584fa9cfcdd59cfb1adfa7f6ea2b7f9f5731e44 Mon Sep 17 00:00:00 2001 From: Sunil Singh Date: Thu, 7 Nov 2024 12:51:04 -0800 Subject: [PATCH 20/29] Syncing with main Signed-off-by: Sunil Singh --- docs/api/workflows/projects.md | 77 +----------- .../installation-references/feature-flags.md | 6 +- .../configure-keycloak-saml.md | 4 - .../configure-okta-saml.md | 6 +- .../configure-pingidentity.md | 4 - .../configure-rancher-for-ms-adfs.md | 4 - .../configure-shibboleth-saml.md | 4 - .../pod-security-standards.md | 2 +- .../helm-charts-in-rancher.md | 38 +----- .../manage-clusters/manage-clusters.md | 1 + .../integrations-in-rancher/opa-gatekeeper.md | 117 ++++++++++++++++++ .../disconnected-clusters.md | 19 +++ .../rancher-managed-clusters.md | 4 + .../reference-guides/rancher-cluster-tools.md | 6 + docusaurus.config.js | 4 + .../configure-keycloak-saml.md | 4 - .../configure-okta-saml.md | 4 - .../configure-pingidentity.md | 4 - .../configure-rancher-for-ms-adfs.md | 4 - .../configure-shibboleth-saml.md | 4 - .../disconnected-clusters.md | 19 +++ .../rancher-managed-clusters.md | 4 + .../configure-keycloak-saml.md | 4 - .../configure-okta-saml.md | 4 - .../configure-pingidentity.md | 4 - .../configure-rancher-for-ms-adfs.md | 4 - .../configure-shibboleth-saml.md | 4 - .../pod-security-standards.md | 2 +- .../helm-charts-in-rancher.md | 46 ------- .../manage-clusters/manage-clusters.md | 1 + .../integrations-in-rancher/opa-gatekeeper.md | 111 +++++++++++++++++ .../disconnected-clusters.md | 19 +++ .../rancher-managed-clusters.md | 4 + .../reference-guides/rancher-cluster-tools.md | 5 +- .../version-2.7/faq/deprecated-features.md | 1 + .../aws-cloud-marketplace/install-adapter.md | 1 + .../disconnected-clusters.md | 19 +++ .../rancher-managed-clusters.md | 4 + .../reference-guides/rancher-webhook.md | 1 + .../disconnected-clusters.md | 19 +++ .../rancher-managed-clusters.md | 4 + .../disconnected-clusters.md | 19 +++ .../rancher-managed-clusters.md | 4 + sidebars.js | 4 +- src/pages/versions.md | 12 +- src/theme/MDXComponents.js | 2 - .../version-2.10/api/workflows/projects.md | 77 +----------- .../installation-references/feature-flags.md | 6 +- .../configure-keycloak-saml.md | 4 - .../configure-okta-saml.md | 6 +- .../configure-pingidentity.md | 4 - .../configure-rancher-for-ms-adfs.md | 4 - .../configure-shibboleth-saml.md | 4 - .../pod-security-standards.md | 2 +- .../helm-charts-in-rancher.md | 38 +----- .../manage-clusters/manage-clusters.md | 1 + .../integrations-in-rancher/opa-gatekeeper.md | 117 ++++++++++++++++++ .../disconnected-clusters.md | 19 +++ .../rancher-managed-clusters.md | 4 + .../reference-guides/rancher-cluster-tools.md | 6 + .../version-2.7/faq/deprecated-features.md | 3 +- .../aws-cloud-marketplace/install-adapter.md | 1 + .../disconnected-clusters.md | 19 +++ .../rancher-managed-clusters.md | 4 + .../reference-guides/rancher-webhook.md | 1 + .../version-2.8/api/workflows/projects.md | 71 ----------- .../disconnected-clusters.md | 19 +++ .../rancher-managed-clusters.md | 4 + .../version-2.9/api/workflows/projects.md | 73 +---------- .../disconnected-clusters.md | 19 +++ .../rancher-managed-clusters.md | 4 + versioned_sidebars/version-2.10-sidebars.json | 4 +- versioned_sidebars/version-2.7-sidebars.json | 3 +- versioned_sidebars/version-2.8-sidebars.json | 3 +- versioned_sidebars/version-2.9-sidebars.json | 3 +- 75 files changed, 641 insertions(+), 519 deletions(-) create mode 100644 docs/integrations-in-rancher/opa-gatekeeper.md create mode 100644 docs/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md create mode 100644 i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md create mode 100644 i18n/zh/docusaurus-plugin-content-docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md create mode 100644 i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md create mode 100644 i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md create mode 100644 i18n/zh/docusaurus-plugin-content-docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md create mode 100644 i18n/zh/docusaurus-plugin-content-docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md create mode 100644 versioned_docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md create mode 100644 versioned_docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md create mode 100644 versioned_docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md create mode 100644 versioned_docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md create mode 100644 versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md diff --git a/docs/api/workflows/projects.md b/docs/api/workflows/projects.md index 7b7ced1e6d04..ea4b6fe66f39 100644 --- a/docs/api/workflows/projects.md +++ b/docs/api/workflows/projects.md @@ -49,10 +49,6 @@ EOF Setting the `field.cattle.io/creatorId` field allows the cluster member account to see project resources with the `get` command and view the project in the Rancher UI. Cluster owner and admin accounts don't need to set this annotation to perform these tasks. -Setting the `field.cattle.io/creator-principal-name` annotation to the user's principal preserves it in a projectroletemplatebinding automatically created for the project owner. - -If you don't want the creator to be added as the owner member (e.g. if the creator is a cluster administrator) to the project you may set the `field.cattle.io/no-creator-rbac` annotation to `true`, which will prevent the corresponding projectroletemplatebinding from being created. - ### Creating a Project With a Resource Quota Refer to [Kubernetes Resource Quota](https://kubernetes.io/docs/concepts/policy/resource-quotas/). @@ -95,77 +91,6 @@ spec: limitsMemory: 100Mi requestsCpu: 50m requestsMemory: 50Mi -EOF -``` - -## Adding a Member to a Project - -Look up the project ID to specify the `metadata.namespace` field and `projectName` field values. - -```bash -kubectl --namespace c-m-abcde get projects -``` - -Look up the role template ID to specify the `roleTemplateName` field value (e.g. `project-member` or `project-owner`). - -```bash -kubectl get roletemplates -``` - -When adding a user member specify the `userPrincipalName` field: - -```bash -kubectl create -f - < diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md index 0496237f3858..1f601689bc11 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md @@ -107,8 +107,4 @@ The OpenLDAP service account is used for all searches. Rancher users will see us 1. Click **Okta** or, if SAML is already configured, **Edit Config** 1. Under **User and Group Search**, check **Configure an OpenLDAP server** -If you experience issues when you test the connection to the OpenLDAP server, ensure that you entered the credentials for the service account and configured the search base correctly. Inspecting the Rancher logs can help pinpoint the root cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) for more information. - -## Configuring SAML Single Logout (SLO) - - +If you experience issues when you test the connection to the OpenLDAP server, ensure that you entered the credentials for the service account and configured the search base correctly. Inspecting the Rancher logs can help pinpoint the root cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) for more information. \ No newline at end of file diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md index 6a40e9343f28..e45d179881e5 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md @@ -64,7 +64,3 @@ Note that these URLs will not return valid data until the authentication configu - The group drop-down shows only the groups that you are a member of. You will not be able to add groups that you are not a member of. ::: - -## Configuring SAML Single Logout (SLO) - - diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md index b2785bd83f0f..492737803f5b 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md @@ -51,7 +51,3 @@ You can generate a certificate using an openssl command. For example: ``` openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com" ``` - -## Configuring SAML Single Logout (SLO) - - diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md index 1480b024af9d..a57f4882050a 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md @@ -77,10 +77,6 @@ If you configure Shibboleth without OpenLDAP, the following caveats apply due to To enable searching for groups when assigning permissions in Rancher, you will need to configure a back end for the SAML provider that supports groups, such as OpenLDAP. -### Configuring SAML Single Logout (SLO) - - - ## Setting up OpenLDAP in Rancher If you also configure OpenLDAP as the back end to Shibboleth, it will return a SAML assertion to Rancher with user attributes that include groups. Then authenticated users will be able to access resources in Rancher that their groups have permissions for. diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md index 5e8f2ee3b584..7b55b963fda3 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md @@ -13,7 +13,7 @@ PSS define security levels for workloads. PSAs describe requirements for pod sec ## Upgrade to Pod Security Standards (PSS) -Ensure that you migrate all PSPs to another workload security mechanism. This includes mapping your current PSPs to Pod Security Standards for enforcement with the [PSA controller](https://kubernetes.io/docs/concepts/security/pod-security-admission/). If the PSA controller won't meet all of your organization's needs, we recommend that you use a policy engine, such as [Kubewarden](https://www.kubewarden.io/), [Kyverno](https://kyverno.io/), or [NeuVector](https://neuvector.com/). Refer to the documentation of your policy engine of choice for more information on how to migrate from PSPs. +Ensure that you migrate all PSPs to another workload security mechanism. This includes mapping your current PSPs to Pod Security Standards for enforcement with the [PSA controller](https://kubernetes.io/docs/concepts/security/pod-security-admission/). If the PSA controller won't meet all of your organization's needs, we recommend that you use a policy engine, such as [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper), [Kubewarden](https://www.kubewarden.io/), [Kyverno](https://kyverno.io/), or [NeuVector](https://neuvector.com/). Refer to the documentation of your policy engine of choice for more information on how to migrate from PSPs. :::caution You must add your new policy enforcement mechanisms _before_ you remove the PodSecurityPolicy objects. If you don't, you may create an opportunity for privilege escalation attacks within the cluster. diff --git a/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index 8542096e1a16..728da0d4dc18 100644 --- a/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/docs/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -194,42 +194,6 @@ Non-Airgap Rancher installations upon refresh will reflect any chart repository Airgap installations where Rancher is configured to use the packaged copy of Helm system charts ([`useBundledSystemChart=true`](../../../getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install/install-rancher-ha.md#helm-chart-options-for-air-gap-installations)) will only refer to the [system-chart](https://github.com/rancher/system-charts) repository that comes bundled and will not be able to be refreshed or synced. -#### Refresh Interval - -Rancher v2.10.0 adds the `refreshInterval` field to the `ClusterRepo` CRD. The default value is 3600 seconds, meaning that Rancher syncs each Helm repository every 3600 seconds. - -To modify the refresh interval of a chart repository: - -1. Click **☰ > Cluster Management**. -1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. -1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. -1. Find the repository you want to modify, and click **⋮ > Edit YAML**. -1. Set the **refreshInterval** field under **Spec** to the desired value in seconds. -1. Click **Save**. - -### Enable/Disable Helm Chart Repositories - -Rancher v2.10.0 adds the ability to enable and disable Helm repositories. Helm repositories are enabled by default. - -To disable a chart repository: - -1. Click **☰ > Cluster Management**. -1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. -1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. -1. Find the repository you want to disable, and click **⋮ > Edit YAML**. -1. Set the **Enabled** field under **Spec** to **false**. -1. Click **Save**. -1. When you disable a repository, updates are disabled and new changes to the clusterRepo are not applied. - -To enable a chart repository: - -1. Click **☰ > Cluster Management**. -1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. -1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. -1. Find the repository you want to disable, and click **⋮ > Edit YAML**. -1. Set the **Enabled** field under **Spec** to **true**. -1. Click **Save**. - ## Deploy and Upgrade Charts To install and deploy a chart: @@ -237,7 +201,7 @@ To install and deploy a chart: 1. Click **☰ > Cluster Management**. 1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. 1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Charts**. -1. Select a chart, and click **Install**. +1. Select a chart, and click **Install**. Rancher and Partner charts may have extra configurations available through custom pages or questions.yaml files. However, all chart installations can modify the values.yaml and other basic settings. After you click **Install**, a Helm operation job is deployed, and the console for the job is displayed. diff --git a/docs/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md b/docs/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md index a694c2f77c2c..eafa50faff9d 100644 --- a/docs/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md +++ b/docs/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md @@ -31,5 +31,6 @@ Rancher contains a variety of tools that aren't included in Kubernetes to assist - Logging - Monitoring - Istio Service Mesh +- OPA Gatekeeper Tools can be installed through **Apps.** diff --git a/docs/integrations-in-rancher/opa-gatekeeper.md b/docs/integrations-in-rancher/opa-gatekeeper.md new file mode 100644 index 000000000000..cea9732b36cd --- /dev/null +++ b/docs/integrations-in-rancher/opa-gatekeeper.md @@ -0,0 +1,117 @@ +--- +title: OPA Gatekeeper +--- + + + + + + + +To ensure consistency and compliance, every organization needs the ability to define and enforce policies in its environment in an automated way. [OPA (Open Policy Agent)](https://www.openpolicyagent.org/) is a policy engine that facilitates policy-based control for cloud native environments. Rancher provides the ability to enable OPA Gatekeeper in Kubernetes clusters, and also installs a couple of built-in policy definitions, which are also called constraint templates. + +OPA provides a high-level declarative language that lets you specify policy as code and ability to extend simple APIs to offload policy decision-making. + +[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is a project that provides integration between OPA and Kubernetes. OPA Gatekeeper provides: + +- An extensible, parameterized policy library. +- Native Kubernetes CRDs for instantiating the policy library, also called “constraints." +- Native Kubernetes CRDs for extending the policy library, also called "constraint templates." +- Audit functionality. + +To read more about OPA, please refer to the [official documentation.](https://www.openpolicyagent.org/docs/latest/) + +## How the OPA Gatekeeper Integration Works + +Kubernetes provides the ability to extend API server functionality via admission controller webhooks, which are invoked whenever a resource is created, updated or deleted. Gatekeeper is installed as a validating webhook and enforces policies defined by Kubernetes custom resource definitions. In addition to the admission control usage, Gatekeeper provides the capability to audit existing resources in Kubernetes clusters and mark current violations of enabled policies. + +OPA Gatekeeper is made available via Rancher's Helm system chart, and it is installed in a namespace named `gatekeeper-system.` + +## Enabling OPA Gatekeeper in a Cluster + +:::note + +In Rancher v2.5, the OPA Gatekeeper application was improved. The Rancher v2.4 feature can't be upgraded to the new version in Rancher v2.5. If you installed OPA Gatekeeper in Rancher v2.4, you will need to uninstall OPA Gatekeeper and its CRDs from the old UI, then reinstall it in Rancher v2.5. To uninstall the CRDs run the following command in the kubectl console `kubectl delete crd configs.config.gatekeeper.sh constrainttemplates.templates.gatekeeper.sh`. + +::: + +:::note Prerequisite: + +Only administrators and cluster owners can enable OPA Gatekeeper. + +::: + +The OPA Gatekeeper Helm chart can be installed from **Apps**. + +### Enabling OPA Gatekeeper + +1. In the upper left corner, click **☰ > Cluster Management**. +1. In the **Clusters** page, go to the cluster where you want to enable OPA Gatekeeper and click **Explore**. +1. In the left navigation bar, click **Apps**. +1. Click **Charts** and click **OPA Gatekeeper**. +1. Click **Install**. + +**Result:** OPA Gatekeeper is deployed in your Kubernetes cluster. + +## Constraint Templates + +[Constraint templates](https://github.com/open-policy-agent/gatekeeper#constraint-templates) are Kubernetes custom resources that define the schema and Rego logic of the OPA policy to be applied by Gatekeeper. For more information on the Rego policy language, refer to the [official documentation.](https://www.openpolicyagent.org/docs/latest/policy-language/) + +When OPA Gatekeeper is enabled, Rancher installs some templates by default. + +To list the constraint templates installed in the cluster, go to the left side menu under OPA Gatekeeper and click on **Templates**. + +Rancher also provides the ability to create your own constraint templates by importing YAML definitions. + +## Creating and Configuring Constraints + +[Constraints](https://github.com/open-policy-agent/gatekeeper#constraints) are Kubernetes custom resources that define the scope of objects to which a specific constraint template applies to. The complete policy is defined by constraint templates and constraints together. + +:::note Prerequisite: + +OPA Gatekeeper must be enabled in the cluster. + +::: + +To list the constraints installed, go to the left side menu under OPA Gatekeeper, and click on **Constraints**. + +New constraints can be created from a constraint template. + +Rancher provides the ability to create a constraint by using a convenient form that lets you input the various constraint fields. + +The **Edit as yaml** option is also available to configure the the constraint's yaml definition. + +### Exempting Rancher's System Namespaces from Constraints + +When a constraint is created, ensure that it does not apply to any Rancher or Kubernetes system namespaces. If the system namespaces are not excluded, then it is possible to see many resources under them marked as violations of the constraint. + +To limit the scope of the constraint only to user namespaces, always specify these namespaces under the **Match** field of the constraint. + +Also, the constraint may interfere with other Rancher functionality and deny system workloads from being deployed. To avoid this, exclude all Rancher-specific namespaces from your constraints. + +## Enforcing Constraints in your Cluster + +When the **Enforcement Action** is **Deny,** the constraint is immediately enabled and will deny any requests that violate the policy defined. By default, the enforcement value is **Deny**. + +When the **Enforcement Action** is **Dryrun,** then any resources that violate the policy are only recorded under the constraint's status field. + +To enforce constraints, create a constraint using the form. In the **Enforcement Action** field, choose **Deny**. + +## Audit and Violations in your Cluster + +OPA Gatekeeper runs a periodic audit to check if any existing resource violates any enforced constraint. The audit-interval (default 300s) can be configured while installing Gatekeeper. + +On the Gatekeeper page, any violations of the defined constraints are listed. + +Also under **Constraints,** the number of violations of the constraint can be found. + +The detail view of each constraint lists information about the resource that violated the constraint. + +## Disabling Gatekeeper + +1. Navigate to the cluster's Dashboard view +1. On the left side menu, expand the cluster menu and click on **OPA Gatekeeper**. +1. Click the **⋮ > Disable**. + +**Result:** Upon disabling OPA Gatekeeper, all constraint templates and constraints will also be deleted. + diff --git a/docs/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/docs/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md new file mode 100644 index 000000000000..c3c9b7a732df --- /dev/null +++ b/docs/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md @@ -0,0 +1,19 @@ +--- +title: Best Practices for Disconnected Clusters +--- + + + + + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. + +While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. + +### Best Practices for Managing Disconnected Clusters + +- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. + +- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. + +- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/docs/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/docs/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index 1e73af430af9..c0bdf07d88db 100644 --- a/docs/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/docs/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,6 +14,10 @@ Refer to [this guide](logging-best-practices.md) for our recommendations for clu Configuring sensible monitoring and alerting rules is vital for running any production workloads securely and reliably. Refer to this [guide](monitoring-best-practices.md) for our recommendations. +### Disconnected clusters + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. + ### Tips for Setting Up Containers Running well-built containers can greatly impact the overall performance and security of your environment. Refer to this [guide](tips-to-set-up-containers.md) for tips. diff --git a/docs/reference-guides/rancher-cluster-tools.md b/docs/reference-guides/rancher-cluster-tools.md index ad46fbdd9d25..4607ae590353 100644 --- a/docs/reference-guides/rancher-cluster-tools.md +++ b/docs/reference-guides/rancher-cluster-tools.md @@ -42,6 +42,12 @@ Rancher's integration with Istio was improved in Rancher v2.5. For more information, refer to the Istio documentation [here.](../integrations-in-rancher/istio/istio.md) +## OPA Gatekeeper + + + +[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is an open-source project that provides integration between OPA and Kubernetes to provide policy control via admission controller webhooks. For details on how to enable Gatekeeper in Rancher, refer to the [OPA Gatekeeper section.](../integrations-in-rancher/opa-gatekeeper.md) + ## CIS Scans Rancher can run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark. diff --git a/docusaurus.config.js b/docusaurus.config.js index b65c0ed47129..a3c0a1ae7a68 100644 --- a/docusaurus.config.js +++ b/docusaurus.config.js @@ -2556,6 +2556,10 @@ module.exports = { to: '/integrations-in-rancher/neuvector', from: '/explanations/integrations-in-rancher/neuvector' }, + { + to: '/integrations-in-rancher/opa-gatekeeper', + from: '/explanations/integrations-in-rancher/opa-gatekeeper' + }, { to: '/v2.6/faq/general-faq', from: '/v2.6/faq' diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md index 9fbe04001f18..145e327f3af0 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md @@ -188,7 +188,3 @@ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.ke * 检查你的 Keycloak 日志。 * 如果日志显示 `request validation failed: org.keycloak.common.VerificationException: SigAlg was null`,请在 Keycloak 客户端中将 `Client Signature Required` 设为 `OFF`。 - -## Configuring SAML Single Logout (SLO) - - diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md index 0e9201e1f998..4b9daebde825 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md @@ -105,7 +105,3 @@ OpenLDAP ServiceAccount 用于所有搜索。无论用户个人的 SAML 权限 1. 在**用户和组搜索**下,选中**配置 OpenLDAP Server**。 如果你在测试与 OpenLDAP Server 的连接时遇到问题,请确保你输入了ServiceAccount 的凭证并正确配置了搜索库。你可以检查 Rancher 日志来查明根本原因。调试日志可能包含有关错误的更详细信息。请参阅[如何启用调试日志](../../../../faq/technical-items.md#如何启用调试日志记录)了解更多信息。 - -## Configuring SAML Single Logout (SLO) - - diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md index bfe1b8628621..0eebb8363c90 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md @@ -60,7 +60,3 @@ title: 配置 PingIdentity (SAML) - 用户组下拉列表仅显示你所属的用户组。如果你不是某个组的成员,你将无法添加该组。 ::: - -## Configuring SAML Single Logout (SLO) - - diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md index b29f42313d84..325f86ca45b9 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md @@ -51,7 +51,3 @@ title: 2. 在 Rancher 中配置 Microsoft AD FS ``` openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com" ``` - -## Configuring SAML Single Logout (SLO) - - diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md index 9056b1d91434..fe0c5cde49bc 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md @@ -76,10 +76,6 @@ SAML 协议不支持用户或用户组的搜索或查找。因此,如果你没 要在 Rancher 中分配权限时启用搜索组,你需要为 SAML 身份认证服务配置支持组的后端(例如 OpenLDAP)。 -### Configuring SAML Single Logout (SLO) - - - # 在 Rancher 中设置 OpenLDAP 如果你将 OpenLDAP 配置为 Shibboleth 的后端,SAML 断言会返回到 Rancher,其中包括用于引用组的用户属性。然后,通过认证的用户将能够访问其所在的组有权访问的 Rancher 资源。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md new file mode 100644 index 000000000000..c3c9b7a732df --- /dev/null +++ b/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md @@ -0,0 +1,19 @@ +--- +title: Best Practices for Disconnected Clusters +--- + + + + + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. + +While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. + +### Best Practices for Managing Disconnected Clusters + +- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. + +- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. + +- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index 9cd0bd1ca151..eb6009f41f78 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,6 +14,10 @@ title: Rancher 管理集群的最佳实践 配置合理的监控和告警规则对于安全、可靠地运行生产环境中的工作负载至关重要。有关更多建议,请参阅[最佳实践](monitoring-best-practices.md)。 +### Disconnected clusters + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. + ## 设置容器的技巧 配置良好的容器可以极大地提高环境的整体性能和安全性。有关容器设置的建议,请参见[设置容器的技巧](tips-to-set-up-containers.md)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md index 9fbe04001f18..145e327f3af0 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml.md @@ -188,7 +188,3 @@ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout myservice.ke * 检查你的 Keycloak 日志。 * 如果日志显示 `request validation failed: org.keycloak.common.VerificationException: SigAlg was null`,请在 Keycloak 客户端中将 `Client Signature Required` 设为 `OFF`。 - -## Configuring SAML Single Logout (SLO) - - diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md index 0e9201e1f998..4b9daebde825 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md @@ -105,7 +105,3 @@ OpenLDAP ServiceAccount 用于所有搜索。无论用户个人的 SAML 权限 1. 在**用户和组搜索**下,选中**配置 OpenLDAP Server**。 如果你在测试与 OpenLDAP Server 的连接时遇到问题,请确保你输入了ServiceAccount 的凭证并正确配置了搜索库。你可以检查 Rancher 日志来查明根本原因。调试日志可能包含有关错误的更详细信息。请参阅[如何启用调试日志](../../../../faq/technical-items.md#如何启用调试日志记录)了解更多信息。 - -## Configuring SAML Single Logout (SLO) - - diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md index bfe1b8628621..0eebb8363c90 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md @@ -60,7 +60,3 @@ title: 配置 PingIdentity (SAML) - 用户组下拉列表仅显示你所属的用户组。如果你不是某个组的成员,你将无法添加该组。 ::: - -## Configuring SAML Single Logout (SLO) - - diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md index b29f42313d84..325f86ca45b9 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md @@ -51,7 +51,3 @@ title: 2. 在 Rancher 中配置 Microsoft AD FS ``` openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com" ``` - -## Configuring SAML Single Logout (SLO) - - diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md index 9056b1d91434..fe0c5cde49bc 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md @@ -76,10 +76,6 @@ SAML 协议不支持用户或用户组的搜索或查找。因此,如果你没 要在 Rancher 中分配权限时启用搜索组,你需要为 SAML 身份认证服务配置支持组的后端(例如 OpenLDAP)。 -### Configuring SAML Single Logout (SLO) - - - # 在 Rancher 中设置 OpenLDAP 如果你将 OpenLDAP 配置为 Shibboleth 的后端,SAML 断言会返回到 Rancher,其中包括用于引用组的用户属性。然后,通过认证的用户将能够访问其所在的组有权访问的 Rancher 资源。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md index 75053324a0e1..7c16ac101924 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md @@ -9,7 +9,7 @@ PSS 定义了工作负载的安全级别。PSA 描述了 Pod 安全上下文和 ## 升级到 Pod 安全标准 (PSS) -确保将所有 PSP 都迁移到了另一个工作负载安全机制,包括将你当前的 PSP 映射到 Pod 安全标准,以便使用 [PSA 控制器](https://kubernetes.io/docs/concepts/security/pod-security-admission/)执行。如果 PSA 控制器不能满足企业的所有需求,建议你使用策略引擎,例如 [Kubewarden](https://www.kubewarden.io/)、[Kyverno](https://kyverno.io/) 或 [NeuVector](https://neuvector.com/)。有关如何迁移 PSP 的更多信息,请参阅你选择的策略引擎的文档。 +确保将所有 PSP 都迁移到了另一个工作负载安全机制,包括将你当前的 PSP 映射到 Pod 安全标准,以便使用 [PSA 控制器](https://kubernetes.io/docs/concepts/security/pod-security-admission/)执行。如果 PSA 控制器不能满足企业的所有需求,建议你使用策略引擎,例如 [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper)、[Kubewarden](https://www.kubewarden.io/)、[Kyverno](https://kyverno.io/) 或 [NeuVector](https://neuvector.com/)。有关如何迁移 PSP 的更多信息,请参阅你选择的策略引擎的文档。 :::caution 必须在删除 PodSecurityPolicy 对象_之前_添加新的策略执行机制。否则,你可能会为集群内的特权升级攻击创造机会。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index de3ce4d164ab..48ecc783bee5 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -161,56 +161,10 @@ spec: ::: -### Add Custom OCI Chart Repositories - -:::caution - -This feature is currently experimental and is not officially supported in Rancher. - -::: - -Helm v3 introduced storing Helm charts as [Open Container Initiative (OCI)](https://opencontainers.org/about/overview/) artifacts in container registries. With Rancher v2.9.0, you can add [OCI-based Helm chart repositories](https://helm.sh/docs/topics/registries/) alongside HTTP-based and Git-based repositories. This means you can deploy apps that are stored as OCI artifacts. For more information, see [Using OCI Helm Chart Repositories](./oci-repositories.md). - ### Helm 兼容性 仅支持 Helm 3 兼容 Chart 。 -#### Refresh Interval - -Rancher v2.10.0 adds the `refreshInterval` field to the `ClusterRepo` CRD. The default value is 3600 seconds, meaning that Rancher syncs each Helm repository every 3600 seconds. - -To modify the refresh interval of a chart repository: - -1. Click **☰ > Cluster Management**. -1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. -1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. -1. Find the repository you want to modify, and click **⋮ > Edit YAML**. -1. Set the **refreshInterval** field under **Spec** to the desired value in seconds. -1. Click **Save**. - -### Enable/Disable Helm Chart Repositories - -Rancher v2.10.0 adds the ability to enable and disable Helm repositories. Helm repositories are enabled by default. - -To disable a chart repository: - -1. Click **☰ > Cluster Management**. -1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. -1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. -1. Find the repository you want to disable, and click **⋮ > Edit YAML**. -1. Set the **Enabled** field under **Spec** to **false**. -1. Click **Save**. -1. When you disable a repository, updates are disabled and new changes to the clusterRepo are not applied. - -To enable a chart repository: - -1. Click **☰ > Cluster Management**. -1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. -1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. -1. Find the repository you want to disable, and click **⋮ > Edit YAML**. -1. Set the **Enabled** field under **Spec** to **true**. -1. Click **Save**. - ### 部署和升级 Chart 安装和部署 chart: diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md index c6de1117793a..a1c89025444f 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md @@ -31,5 +31,6 @@ Rancher 包含 Kubernetes 中未包含的各种工具来协助你进行 DevOps - Logging - Monitoring - Istio 服务网格 +- OPA Gatekeeper 你可以通过 **Apps** 来安装工具。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md new file mode 100644 index 000000000000..41c91274c668 --- /dev/null +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md @@ -0,0 +1,111 @@ +--- +title: OPA Gatekeeper +--- + +为了确保一致性和合规性,每个组织都需要能够以自动化的方式在环境中定义和执行策略。[OPA(Open Policy Agent)](https://www.openpolicyagent.org/) 是一个策略引擎,用于基于策略控制云原生环境。Rancher 支持在 Kubernetes 集群中启用 OPA Gatekeeper,并且还安装了一些内置的策略定义(也称为约束模板)。 + +OPA 提供了一种高级声明性语言,可以让你将策略指定为代码,还能扩展简单的 API,从而减轻策略决策的负担。 + +[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) 是一个提供 OPA 和 Kubernetes 集成的项目。OPA Gatekeeper 提供: + +- 一个可扩展的参数化策略库。 +- 用于实例化策略库的原生 Kubernetes CRD,也称为“约束”。 +- 用于扩展策略库的原生 Kubernetes CRD,也称为“约束模板”。 +- 审计功能。 + +要了解更多关于 OPA 的信息,请参阅[官方文档](https://www.openpolicyagent.org/docs/latest/)。 + +## OPA Gatekeeper 集成的工作原理 + +Kubernetes 支持通过准入控制器(准入控制器)webhook 来扩展 API Server 的功能,创建、更新或删除资源时都会调用这些 webhook。Gatekeeper 作为验证 webhook 安装,并执行由 Kubernetes CRD(Custom Resource Definition)定义的策略。除了使用准入控制之外,Gatekeeper 还能审计 Kubernetes 集群中的现有资源,并对违反当前策略的情况进行标记。 + +OPA Gatekeeper 由 Rancher 的 Helm system Chart 提供,它安装在名为 `gatekeeper-system` 的命名空间中。 + +## 在集群中启用 OPA Gatekeeper + +:::note + +Rancher 2.5 改进了 OPA Gatekeeper 应用。无法从 Rancher 2.4 升级到 Rancher 2.5 中的新版本。如果你在 Rancher 2.4 中安装了 OPA Gatekeeper,则需要在旧 UI 中卸载 OPA Gatekeeper 及其 CRD,然后在 Rancher 2.5 中重新安装它。如需卸载 CRD,请在 kubectl 控制台中运行 `kubectl delete crd configs.config.gatekeeper.sh constrainttemplates.templates.gatekeeper.sh` 命令。 + +::: + +:::note 先决条件: + +只有管理员和集群所有者才能启用 OPA Gatekeeper。 + +::: + +你可以在 **Apps** 页面安装 OPA Gatekeeper Helm Chart。 + +### 启用 OPA Gatekeeper + +1. 在左上角,单击 **☰ > 集群管理**。 +1. 在**集群**页面中,转到要启用 OPA Gatekeeper 的集群,然后单击 **Explore**。 +1. 在左侧导航栏中,点击 **Apps**。 +1. 点击 **Charts** 并点击 **OPA Gatekeeper**。 +1. 单击**安装**。 + +**结果**:已将 OPA Gatekeeper 部署到你的 Kubernetes 集群。 + +## 约束模板 + +[约束模板](https://github.com/open-policy-agent/gatekeeper#constraint-templates)是 Kubernetes 自定义资源,用于定义要由 Gatekeeper 应用的 OPA 策略的架构和 Rego 逻辑。有关 Rego 策略语言的更多信息,请参阅[官方文档](https://www.openpolicyagent.org/docs/latest/policy-language/)。 + +启用 OPA Gatekeeper 后,Rancher 默认会安装一些模板。 + +要列出集群中安装的约束模板,请转到 OPA Gatekeeper 下的左侧菜单,然后单击**模板**。 + +Rancher 还支持通过导入 YAML 定义来创建你自己的约束模板。 + +## 创建和配置约束 + +[约束](https://github.com/open-policy-agent/gatekeeper#constraints)是 Kubernetes 自定义资源,用于定义要应用约束模板的对象范围。约束模板和约束共同定义一个完整的策略。 + +:::note 先决条件: + +集群中已启用 OPA Gatekeeper。 + +::: + +要列出已安装的约束,请转到 OPA Gatekeeper 下的左侧菜单,然后单击**约束**。 + +可以从约束模板创建新的约束。 + +Rancher 支持通过使用方便的表单来创建约束,你可以在该表单中输入各种约束字段。 + +**以 YAML 文件编辑**选项也可以用于配置约束的 YAML 定义。 + +### 使 Rancher 的 System 命名空间不受约束 + +创建约束时,请确保该约束不应用于任何 Rancher 或 Kubernetes System 命名空间。如果不排除 System 命名空间,则可能会出现 system 命名空间下的许多资源被标记为违反约束。 + +要让约束仅限制用户命名空间,请在约束的**匹配**字段下指定这些命名空间。 + +此外,该约束可能会干扰其他 Rancher 功能并拒绝部署系统工作负载。为避免这种情况,请从你的约束中排除所有 Rancher 特定的命名空间。 + +## 在集群中实施约束 + +如果**执行动作**为 **Deny**,约束会立即启用,并拒绝任何违反策略的请求。默认情况下,执行的值为 **Deny**。 + +如果**执行动作** 为 **Dryrun**,违反策略的资源仅会记录在约束的状态字段中。 + +要强制执行约束,请使用表单创建约束。在**执行动作**字段中,选择 **Deny**。 + +## 集群中的审计和违规 + +OPA Gatekeeper 运行定期审计,以检查现有资源是否违反强制执行的约束。你可以在安装 Gatekeeper 时配置审计间隔(默认 300 秒)。 + +Gatekeeper 页面上列出了违反已定义的约束的情况。 + +此外,你也可以在**约束**页面中找到违反约束的数量。 + +每个约束的详细信息视图列出了违反约束的资源的信息。 + +## 禁用 Gatekeeper + +1. 导航到集群的仪表板视图。 +1. 在左侧菜单中,展开集群菜单并单击 **OPA Gatekeeper**。 +1. 单击 **⋮ > 禁用**。 + +**结果**:禁用 OPA Gatekeeper 后,所有约束模板和约束也将被删除。 + diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md new file mode 100644 index 000000000000..c3c9b7a732df --- /dev/null +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md @@ -0,0 +1,19 @@ +--- +title: Best Practices for Disconnected Clusters +--- + + + + + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. + +While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. + +### Best Practices for Managing Disconnected Clusters + +- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. + +- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. + +- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index 9cd0bd1ca151..eb6009f41f78 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,6 +14,10 @@ title: Rancher 管理集群的最佳实践 配置合理的监控和告警规则对于安全、可靠地运行生产环境中的工作负载至关重要。有关更多建议,请参阅[最佳实践](monitoring-best-practices.md)。 +### Disconnected clusters + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. + ## 设置容器的技巧 配置良好的容器可以极大地提高环境的整体性能和安全性。有关容器设置的建议,请参见[设置容器的技巧](tips-to-set-up-containers.md)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/rancher-cluster-tools.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/rancher-cluster-tools.md index 29a448f3a1f6..e454be93e768 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/rancher-cluster-tools.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/rancher-cluster-tools.md @@ -4,6 +4,7 @@ title: 集群工具:Logging,Monitoring 和可视化 Rancher 包含 Kubernetes 中未包含的各种工具来协助你进行 DevOps 操作。Rancher 可以与外部服务集成,让你的集群更高效地运行。工具分为以下几类: + ## Logging Logging 支持: @@ -17,7 +18,6 @@ Logging 支持: Rancher 可以与 Elasticsearch、splunk、kafka、syslog 和 fluentd 集成。 有关详细信息,请参阅 [Logging 文档](../integrations-in-rancher/logging/logging.md)。 - ## 监控和告警 你可以使用 Rancher,通过业界领先并开源的 [Prometheus](https://prometheus.io/) 来监控集群节点、Kubernetes 组件和软件部署的状态和进程。 @@ -37,6 +37,9 @@ Rancher 可以与 Elasticsearch、splunk、kafka、syslog 和 fluentd 集成。 Rancher v2.5 改进了与 Istio 的集成。 如需更多信息,请参阅 [Istio 文档](..//integrations-in-rancher/istio/istio.md)。 +## OPA Gatekeeper + +[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) 是一个开源项目,它对 OPA 和 Kubernetes 进行了集成,以通过许可控制器 Webhook 提供策略控制。有关如何在 Rancher 中启用 Gatekeeper 的详细信息,请参阅 [OPA Gatekeeper](../integrations-in-rancher/opa-gatekeeper.md)。 ## CIS 扫描 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/faq/deprecated-features.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/faq/deprecated-features.md index 267488febfa0..e2bb53eddc88 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/faq/deprecated-features.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/faq/deprecated-features.md @@ -16,6 +16,7 @@ Rancher 将在 GitHub 上发布的 Rancher 的[发版说明](https://github.com/ | Patch Version | Release Date | | ----------------------------------------------------------------- | -------------------| +| [2.7.17](https://github.com/rancher/rancher/releases/tag/v2.7.17) | 2024 年 11 月 05 日 | | [2.7.16](https://github.com/rancher/rancher/releases/tag/v2.7.16) | 2024 年 10 月 24 日 | | [2.7.15](https://github.com/rancher/rancher/releases/tag/v2.7.15) | 2024 年 7 月 31 日 | | [2.7.14](https://github.com/rancher/rancher/releases/tag/v2.7.14) | 2024 年 6 月 17 日 | diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md index 268352f336b5..0439b0554d8e 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md @@ -19,6 +19,7 @@ title: 安装 Adapter | Rancher 版本 | Adapter 版本 | | ------------ | :----------: | +| v2.7.17 | v2.0.4 | | v2.7.16 | v2.0.4 | | v2.7.15 | v2.0.4 | | v2.7.14 | v2.0.4 | diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md new file mode 100644 index 000000000000..c3c9b7a732df --- /dev/null +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md @@ -0,0 +1,19 @@ +--- +title: Best Practices for Disconnected Clusters +--- + + + + + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. + +While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. + +### Best Practices for Managing Disconnected Clusters + +- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. + +- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. + +- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index e12f1db24983..349b3dcbdfe6 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,6 +14,10 @@ title: Rancher 管理集群的最佳实践 配置合理的监控和告警规则对于安全、可靠地运行生产环境中的工作负载至关重要。有关更多建议,请参阅[最佳实践](monitoring-best-practices.md)。 +### Disconnected clusters + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. + ### 设置容器的技巧 配置良好的容器可以极大地提高环境的整体性能和安全性。有关容器设置的建议,请参见[设置容器的技巧](tips-to-set-up-containers.md)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/rancher-webhook.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/rancher-webhook.md index b60bf42ee33a..fe651722787e 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/rancher-webhook.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/rancher-webhook.md @@ -20,6 +20,7 @@ Rancher 将 Rancher-Webhook 作为单独的 deployment 和服务部署在 local | Rancher Version | Webhook Version | Availability in Prime | Availability in Community | |-----------------|-----------------|-----------------------|---------------------------| +| v2.7.17 | v0.3.13 | ✓ | N/A | | v2.7.16 | v0.3.12 | ✓ | N/A | | v2.7.15 | v0.3.11 | ✓ | N/A | | v2.7.14 | v0.3.11 | ✓ | N/A | diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md new file mode 100644 index 000000000000..c3c9b7a732df --- /dev/null +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md @@ -0,0 +1,19 @@ +--- +title: Best Practices for Disconnected Clusters +--- + + + + + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. + +While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. + +### Best Practices for Managing Disconnected Clusters + +- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. + +- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. + +- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index 9cd0bd1ca151..eb6009f41f78 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,6 +14,10 @@ title: Rancher 管理集群的最佳实践 配置合理的监控和告警规则对于安全、可靠地运行生产环境中的工作负载至关重要。有关更多建议,请参阅[最佳实践](monitoring-best-practices.md)。 +### Disconnected clusters + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. + ## 设置容器的技巧 配置良好的容器可以极大地提高环境的整体性能和安全性。有关容器设置的建议,请参见[设置容器的技巧](tips-to-set-up-containers.md)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md new file mode 100644 index 000000000000..c3c9b7a732df --- /dev/null +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md @@ -0,0 +1,19 @@ +--- +title: Best Practices for Disconnected Clusters +--- + + + + + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. + +While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. + +### Best Practices for Managing Disconnected Clusters + +- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. + +- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. + +- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index e12f1db24983..349b3dcbdfe6 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,6 +14,10 @@ title: Rancher 管理集群的最佳实践 配置合理的监控和告警规则对于安全、可靠地运行生产环境中的工作负载至关重要。有关更多建议,请参阅[最佳实践](monitoring-best-practices.md)。 +### Disconnected clusters + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. + ### 设置容器的技巧 配置良好的容器可以极大地提高环境的整体性能和安全性。有关容器设置的建议,请参见[设置容器的技巧](tips-to-set-up-containers.md)。 diff --git a/sidebars.js b/sidebars.js index 12a6e77233ef..9cdc5eab27bd 100644 --- a/sidebars.js +++ b/sidebars.js @@ -845,7 +845,8 @@ const sidebars = { "reference-guides/best-practices/rancher-managed-clusters/logging-best-practices", "reference-guides/best-practices/rancher-managed-clusters/monitoring-best-practices", "reference-guides/best-practices/rancher-managed-clusters/tips-to-set-up-containers", - "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere" + "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere", + "reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters" ] } ] @@ -1292,6 +1293,7 @@ const sidebars = { "integrations-in-rancher/monitoring-and-alerting/promql-expressions", ] }, + "integrations-in-rancher/opa-gatekeeper", "integrations-in-rancher/rancher-extensions", ] }, diff --git a/src/pages/versions.md b/src/pages/versions.md index 05899853f5a5..358b424f7d24 100644 --- a/src/pages/versions.md +++ b/src/pages/versions.md @@ -60,9 +60,9 @@ Here you can find links to supporting documentation for the current released ver Community - v2.7.16 + v2.7.17 Documentation - Release Notes + Release Notes
N/A
N/A
@@ -208,6 +208,14 @@ Here you can find links to supporting documentation for previous versions of Ran Prime Community + + v2.7.16 + Documentation + Release Notes +
N/A
+
+
N/A
+ v2.7.15 Documentation diff --git a/src/theme/MDXComponents.js b/src/theme/MDXComponents.js index 96351a571700..b5ef8bfde0f5 100644 --- a/src/theme/MDXComponents.js +++ b/src/theme/MDXComponents.js @@ -11,7 +11,6 @@ import DeprecationOPAGatekeeper from '/shared-files/_deprecation-opa-gatekeeper. import DeprecationWeave from '/shared-files/_deprecation-weave.md'; import DeprecationHelm2 from '/shared-files/_deprecation-helm2.md'; import DockerSupportWarning from '/shared-files/_docker-support-warning.md'; -import ConfigureSLO from '/shared-files/_configure-slo.md'; export default { // Re-use the default mapping @@ -24,7 +23,6 @@ export default { Card, CNIPopularityTable, - ConfigureSLO, DeprecationOPAGatekeeper, DeprecationWeave, DeprecationHelm2, diff --git a/versioned_docs/version-2.10/api/workflows/projects.md b/versioned_docs/version-2.10/api/workflows/projects.md index 7b7ced1e6d04..ea4b6fe66f39 100644 --- a/versioned_docs/version-2.10/api/workflows/projects.md +++ b/versioned_docs/version-2.10/api/workflows/projects.md @@ -49,10 +49,6 @@ EOF Setting the `field.cattle.io/creatorId` field allows the cluster member account to see project resources with the `get` command and view the project in the Rancher UI. Cluster owner and admin accounts don't need to set this annotation to perform these tasks. -Setting the `field.cattle.io/creator-principal-name` annotation to the user's principal preserves it in a projectroletemplatebinding automatically created for the project owner. - -If you don't want the creator to be added as the owner member (e.g. if the creator is a cluster administrator) to the project you may set the `field.cattle.io/no-creator-rbac` annotation to `true`, which will prevent the corresponding projectroletemplatebinding from being created. - ### Creating a Project With a Resource Quota Refer to [Kubernetes Resource Quota](https://kubernetes.io/docs/concepts/policy/resource-quotas/). @@ -95,77 +91,6 @@ spec: limitsMemory: 100Mi requestsCpu: 50m requestsMemory: 50Mi -EOF -``` - -## Adding a Member to a Project - -Look up the project ID to specify the `metadata.namespace` field and `projectName` field values. - -```bash -kubectl --namespace c-m-abcde get projects -``` - -Look up the role template ID to specify the `roleTemplateName` field value (e.g. `project-member` or `project-owner`). - -```bash -kubectl get roletemplates -``` - -When adding a user member specify the `userPrincipalName` field: - -```bash -kubectl create -f - < diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md index 0496237f3858..1f601689bc11 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-okta-saml.md @@ -107,8 +107,4 @@ The OpenLDAP service account is used for all searches. Rancher users will see us 1. Click **Okta** or, if SAML is already configured, **Edit Config** 1. Under **User and Group Search**, check **Configure an OpenLDAP server** -If you experience issues when you test the connection to the OpenLDAP server, ensure that you entered the credentials for the service account and configured the search base correctly. Inspecting the Rancher logs can help pinpoint the root cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) for more information. - -## Configuring SAML Single Logout (SLO) - - +If you experience issues when you test the connection to the OpenLDAP server, ensure that you entered the credentials for the service account and configured the search base correctly. Inspecting the Rancher logs can help pinpoint the root cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) for more information. \ No newline at end of file diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md index 6a40e9343f28..e45d179881e5 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity.md @@ -64,7 +64,3 @@ Note that these URLs will not return valid data until the authentication configu - The group drop-down shows only the groups that you are a member of. You will not be able to add groups that you are not a member of. ::: - -## Configuring SAML Single Logout (SLO) - - diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md index b2785bd83f0f..492737803f5b 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-microsoft-ad-federation-service-saml/configure-rancher-for-ms-adfs.md @@ -51,7 +51,3 @@ You can generate a certificate using an openssl command. For example: ``` openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com" ``` - -## Configuring SAML Single Logout (SLO) - - diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md index 1480b024af9d..a57f4882050a 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/configure-shibboleth-saml/configure-shibboleth-saml.md @@ -77,10 +77,6 @@ If you configure Shibboleth without OpenLDAP, the following caveats apply due to To enable searching for groups when assigning permissions in Rancher, you will need to configure a back end for the SAML provider that supports groups, such as OpenLDAP. -### Configuring SAML Single Logout (SLO) - - - ## Setting up OpenLDAP in Rancher If you also configure OpenLDAP as the back end to Shibboleth, it will return a SAML assertion to Rancher with user attributes that include groups. Then authenticated users will be able to access resources in Rancher that their groups have permissions for. diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md index 5e8f2ee3b584..7b55b963fda3 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards.md @@ -13,7 +13,7 @@ PSS define security levels for workloads. PSAs describe requirements for pod sec ## Upgrade to Pod Security Standards (PSS) -Ensure that you migrate all PSPs to another workload security mechanism. This includes mapping your current PSPs to Pod Security Standards for enforcement with the [PSA controller](https://kubernetes.io/docs/concepts/security/pod-security-admission/). If the PSA controller won't meet all of your organization's needs, we recommend that you use a policy engine, such as [Kubewarden](https://www.kubewarden.io/), [Kyverno](https://kyverno.io/), or [NeuVector](https://neuvector.com/). Refer to the documentation of your policy engine of choice for more information on how to migrate from PSPs. +Ensure that you migrate all PSPs to another workload security mechanism. This includes mapping your current PSPs to Pod Security Standards for enforcement with the [PSA controller](https://kubernetes.io/docs/concepts/security/pod-security-admission/). If the PSA controller won't meet all of your organization's needs, we recommend that you use a policy engine, such as [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper), [Kubewarden](https://www.kubewarden.io/), [Kyverno](https://kyverno.io/), or [NeuVector](https://neuvector.com/). Refer to the documentation of your policy engine of choice for more information on how to migrate from PSPs. :::caution You must add your new policy enforcement mechanisms _before_ you remove the PodSecurityPolicy objects. If you don't, you may create an opportunity for privilege escalation attacks within the cluster. diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md index 3899b363f8ab..84ae382badbb 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/helm-charts-in-rancher/helm-charts-in-rancher.md @@ -194,42 +194,6 @@ Non-Airgap Rancher installations upon refresh will reflect any chart repository Airgap installations where Rancher is configured to use the packaged copy of Helm system charts ([`useBundledSystemChart=true`](../../../getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install/install-rancher-ha.md#helm-chart-options-for-air-gap-installations)) will only refer to the [system-chart](https://github.com/rancher/system-charts) repository that comes bundled and will not be able to be refreshed or synced. -#### Refresh Interval - -Rancher v2.10.0 adds the `refreshInterval` field to the `ClusterRepo` CRD. The default value is 3600 seconds, meaning that Rancher syncs each Helm repository every 3600 seconds. - -To modify the refresh interval of a chart repository: - -1. Click **☰ > Cluster Management**. -1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. -1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. -1. Find the repository you want to modify, and click **⋮ > Edit YAML**. -1. Set the **refreshInterval** field under **Spec** to the desired value in seconds. -1. Click **Save**. - -### Enable/Disable Helm Chart Repositories - -Rancher v2.10.0 adds the ability to enable and disable Helm repositories. Helm repositories are enabled by default. - -To disable a chart repository: - -1. Click **☰ > Cluster Management**. -1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. -1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. -1. Find the repository you want to disable, and click **⋮ > Edit YAML**. -1. Set the **Enabled** field under **Spec** to **false**. -1. Click **Save**. -1. When you disable a repository, updates are disabled and new changes to the clusterRepo are not applied. - -To enable a chart repository: - -1. Click **☰ > Cluster Management**. -1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. -1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**. -1. Find the repository you want to disable, and click **⋮ > Edit YAML**. -1. Set the **Enabled** field under **Spec** to **true**. -1. Click **Save**. - ## Deploy and Upgrade Charts To install and deploy a chart: @@ -237,7 +201,7 @@ To install and deploy a chart: 1. Click **☰ > Cluster Management**. 1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row. 1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Charts**. -1. Select a chart, and click **Install**. +1. Select a chart, and click **Install**. Rancher and Partner charts may have extra configurations available through custom pages or questions.yaml files. However, all chart installations can modify the values.yaml and other basic settings. After you click **Install**, a Helm operation job is deployed, and the console for the job is displayed. diff --git a/versioned_docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md b/versioned_docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md index a694c2f77c2c..eafa50faff9d 100644 --- a/versioned_docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md +++ b/versioned_docs/version-2.10/how-to-guides/new-user-guides/manage-clusters/manage-clusters.md @@ -31,5 +31,6 @@ Rancher contains a variety of tools that aren't included in Kubernetes to assist - Logging - Monitoring - Istio Service Mesh +- OPA Gatekeeper Tools can be installed through **Apps.** diff --git a/versioned_docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md b/versioned_docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md new file mode 100644 index 000000000000..cea9732b36cd --- /dev/null +++ b/versioned_docs/version-2.10/integrations-in-rancher/opa-gatekeeper.md @@ -0,0 +1,117 @@ +--- +title: OPA Gatekeeper +--- + + + + + + + +To ensure consistency and compliance, every organization needs the ability to define and enforce policies in its environment in an automated way. [OPA (Open Policy Agent)](https://www.openpolicyagent.org/) is a policy engine that facilitates policy-based control for cloud native environments. Rancher provides the ability to enable OPA Gatekeeper in Kubernetes clusters, and also installs a couple of built-in policy definitions, which are also called constraint templates. + +OPA provides a high-level declarative language that lets you specify policy as code and ability to extend simple APIs to offload policy decision-making. + +[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is a project that provides integration between OPA and Kubernetes. OPA Gatekeeper provides: + +- An extensible, parameterized policy library. +- Native Kubernetes CRDs for instantiating the policy library, also called “constraints." +- Native Kubernetes CRDs for extending the policy library, also called "constraint templates." +- Audit functionality. + +To read more about OPA, please refer to the [official documentation.](https://www.openpolicyagent.org/docs/latest/) + +## How the OPA Gatekeeper Integration Works + +Kubernetes provides the ability to extend API server functionality via admission controller webhooks, which are invoked whenever a resource is created, updated or deleted. Gatekeeper is installed as a validating webhook and enforces policies defined by Kubernetes custom resource definitions. In addition to the admission control usage, Gatekeeper provides the capability to audit existing resources in Kubernetes clusters and mark current violations of enabled policies. + +OPA Gatekeeper is made available via Rancher's Helm system chart, and it is installed in a namespace named `gatekeeper-system.` + +## Enabling OPA Gatekeeper in a Cluster + +:::note + +In Rancher v2.5, the OPA Gatekeeper application was improved. The Rancher v2.4 feature can't be upgraded to the new version in Rancher v2.5. If you installed OPA Gatekeeper in Rancher v2.4, you will need to uninstall OPA Gatekeeper and its CRDs from the old UI, then reinstall it in Rancher v2.5. To uninstall the CRDs run the following command in the kubectl console `kubectl delete crd configs.config.gatekeeper.sh constrainttemplates.templates.gatekeeper.sh`. + +::: + +:::note Prerequisite: + +Only administrators and cluster owners can enable OPA Gatekeeper. + +::: + +The OPA Gatekeeper Helm chart can be installed from **Apps**. + +### Enabling OPA Gatekeeper + +1. In the upper left corner, click **☰ > Cluster Management**. +1. In the **Clusters** page, go to the cluster where you want to enable OPA Gatekeeper and click **Explore**. +1. In the left navigation bar, click **Apps**. +1. Click **Charts** and click **OPA Gatekeeper**. +1. Click **Install**. + +**Result:** OPA Gatekeeper is deployed in your Kubernetes cluster. + +## Constraint Templates + +[Constraint templates](https://github.com/open-policy-agent/gatekeeper#constraint-templates) are Kubernetes custom resources that define the schema and Rego logic of the OPA policy to be applied by Gatekeeper. For more information on the Rego policy language, refer to the [official documentation.](https://www.openpolicyagent.org/docs/latest/policy-language/) + +When OPA Gatekeeper is enabled, Rancher installs some templates by default. + +To list the constraint templates installed in the cluster, go to the left side menu under OPA Gatekeeper and click on **Templates**. + +Rancher also provides the ability to create your own constraint templates by importing YAML definitions. + +## Creating and Configuring Constraints + +[Constraints](https://github.com/open-policy-agent/gatekeeper#constraints) are Kubernetes custom resources that define the scope of objects to which a specific constraint template applies to. The complete policy is defined by constraint templates and constraints together. + +:::note Prerequisite: + +OPA Gatekeeper must be enabled in the cluster. + +::: + +To list the constraints installed, go to the left side menu under OPA Gatekeeper, and click on **Constraints**. + +New constraints can be created from a constraint template. + +Rancher provides the ability to create a constraint by using a convenient form that lets you input the various constraint fields. + +The **Edit as yaml** option is also available to configure the the constraint's yaml definition. + +### Exempting Rancher's System Namespaces from Constraints + +When a constraint is created, ensure that it does not apply to any Rancher or Kubernetes system namespaces. If the system namespaces are not excluded, then it is possible to see many resources under them marked as violations of the constraint. + +To limit the scope of the constraint only to user namespaces, always specify these namespaces under the **Match** field of the constraint. + +Also, the constraint may interfere with other Rancher functionality and deny system workloads from being deployed. To avoid this, exclude all Rancher-specific namespaces from your constraints. + +## Enforcing Constraints in your Cluster + +When the **Enforcement Action** is **Deny,** the constraint is immediately enabled and will deny any requests that violate the policy defined. By default, the enforcement value is **Deny**. + +When the **Enforcement Action** is **Dryrun,** then any resources that violate the policy are only recorded under the constraint's status field. + +To enforce constraints, create a constraint using the form. In the **Enforcement Action** field, choose **Deny**. + +## Audit and Violations in your Cluster + +OPA Gatekeeper runs a periodic audit to check if any existing resource violates any enforced constraint. The audit-interval (default 300s) can be configured while installing Gatekeeper. + +On the Gatekeeper page, any violations of the defined constraints are listed. + +Also under **Constraints,** the number of violations of the constraint can be found. + +The detail view of each constraint lists information about the resource that violated the constraint. + +## Disabling Gatekeeper + +1. Navigate to the cluster's Dashboard view +1. On the left side menu, expand the cluster menu and click on **OPA Gatekeeper**. +1. Click the **⋮ > Disable**. + +**Result:** Upon disabling OPA Gatekeeper, all constraint templates and constraints will also be deleted. + diff --git a/versioned_docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/versioned_docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md new file mode 100644 index 000000000000..c3c9b7a732df --- /dev/null +++ b/versioned_docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md @@ -0,0 +1,19 @@ +--- +title: Best Practices for Disconnected Clusters +--- + + + + + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. + +While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. + +### Best Practices for Managing Disconnected Clusters + +- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. + +- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. + +- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/versioned_docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/versioned_docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index 1e73af430af9..36a8dec091e5 100644 --- a/versioned_docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/versioned_docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,6 +14,10 @@ Refer to [this guide](logging-best-practices.md) for our recommendations for clu Configuring sensible monitoring and alerting rules is vital for running any production workloads securely and reliably. Refer to this [guide](monitoring-best-practices.md) for our recommendations. +### Disconnected clusters + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. + ### Tips for Setting Up Containers Running well-built containers can greatly impact the overall performance and security of your environment. Refer to this [guide](tips-to-set-up-containers.md) for tips. diff --git a/versioned_docs/version-2.10/reference-guides/rancher-cluster-tools.md b/versioned_docs/version-2.10/reference-guides/rancher-cluster-tools.md index ad46fbdd9d25..4607ae590353 100644 --- a/versioned_docs/version-2.10/reference-guides/rancher-cluster-tools.md +++ b/versioned_docs/version-2.10/reference-guides/rancher-cluster-tools.md @@ -42,6 +42,12 @@ Rancher's integration with Istio was improved in Rancher v2.5. For more information, refer to the Istio documentation [here.](../integrations-in-rancher/istio/istio.md) +## OPA Gatekeeper + + + +[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is an open-source project that provides integration between OPA and Kubernetes to provide policy control via admission controller webhooks. For details on how to enable Gatekeeper in Rancher, refer to the [OPA Gatekeeper section.](../integrations-in-rancher/opa-gatekeeper.md) + ## CIS Scans Rancher can run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark. diff --git a/versioned_docs/version-2.7/faq/deprecated-features.md b/versioned_docs/version-2.7/faq/deprecated-features.md index 3d46bcdaeeb1..6a0710dd106c 100644 --- a/versioned_docs/version-2.7/faq/deprecated-features.md +++ b/versioned_docs/version-2.7/faq/deprecated-features.md @@ -16,7 +16,8 @@ Rancher will publish deprecated features as part of the [release notes](https:// | Patch Version | Release Date | |---------------|---------------| -| [2.7.16](https://github.com/rancher/rancher/releases/tag/v2.7.16) | Oct 24, 2024 | +| [2.7.17](https://github.com/rancher/rancher/releases/tag/v2.7.17) | Nov 5, 2024 | +| [2.7.16](https://github.com/rancher/rancher/releases/tag/v2.7.16) | Oct 24, 2024 | | [2.7.15](https://github.com/rancher/rancher/releases/tag/v2.7.15) | July 31, 2024 | | [2.7.14](https://github.com/rancher/rancher/releases/tag/v2.7.14) | June 17, 2024 | | [2.7.13](https://github.com/rancher/rancher/releases/tag/v2.7.13) | May 16, 2024 | diff --git a/versioned_docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md b/versioned_docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md index 56e32b3c4741..376630d7fcd9 100644 --- a/versioned_docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md +++ b/versioned_docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md @@ -19,6 +19,7 @@ In order to deploy and run the adapter successfully, you need to ensure its vers | Rancher Version | Adapter Version | |-----------------|:---------------:| +| v2.7.17 | v2.0.4 | | v2.7.16 | v2.0.4 | | v2.7.15 | v2.0.4 | | v2.7.14 | v2.0.4 | diff --git a/versioned_docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/versioned_docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md new file mode 100644 index 000000000000..c3c9b7a732df --- /dev/null +++ b/versioned_docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md @@ -0,0 +1,19 @@ +--- +title: Best Practices for Disconnected Clusters +--- + + + + + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. + +While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. + +### Best Practices for Managing Disconnected Clusters + +- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. + +- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. + +- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/versioned_docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/versioned_docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index 1e73af430af9..36a8dec091e5 100644 --- a/versioned_docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/versioned_docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,6 +14,10 @@ Refer to [this guide](logging-best-practices.md) for our recommendations for clu Configuring sensible monitoring and alerting rules is vital for running any production workloads securely and reliably. Refer to this [guide](monitoring-best-practices.md) for our recommendations. +### Disconnected clusters + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. + ### Tips for Setting Up Containers Running well-built containers can greatly impact the overall performance and security of your environment. Refer to this [guide](tips-to-set-up-containers.md) for tips. diff --git a/versioned_docs/version-2.7/reference-guides/rancher-webhook.md b/versioned_docs/version-2.7/reference-guides/rancher-webhook.md index eda9e52c1fd1..66eaa5b3c4f9 100644 --- a/versioned_docs/version-2.7/reference-guides/rancher-webhook.md +++ b/versioned_docs/version-2.7/reference-guides/rancher-webhook.md @@ -20,6 +20,7 @@ Each Rancher version is designed to be compatible with a single version of the w | Rancher Version | Webhook Version | Availability in Prime | Availability in Community | |-----------------|-----------------|-----------------------|---------------------------| +| v2.7.17 | v0.3.13 | ✓ | N/A | | v2.7.16 | v0.3.12 | ✓ | N/A | | v2.7.15 | v0.3.11 | ✓ | N/A | | v2.7.14 | v0.3.11 | ✓ | N/A | diff --git a/versioned_docs/version-2.8/api/workflows/projects.md b/versioned_docs/version-2.8/api/workflows/projects.md index d811132828a8..33c6f27c4b43 100644 --- a/versioned_docs/version-2.8/api/workflows/projects.md +++ b/versioned_docs/version-2.8/api/workflows/projects.md @@ -91,77 +91,6 @@ spec: limitsMemory: 100Mi requestsCpu: 50m requestsMemory: 50Mi -EOF -``` - -## Adding a Member to a Project - -Look up the project ID to specify the `metadata.namespace` field and `projectName` field values. - -```bash -kubectl --namespace c-m-abcde get projects -``` - -Look up the role template ID to specify the `roleTemplateName` field value (e.g. `project-member` or `project-owner`). - -```bash -kubectl get roletemplates -``` - -When adding a user member specify the `userPrincipalName` field: - -```bash -kubectl create -f - < + + + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. + +While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. + +### Best Practices for Managing Disconnected Clusters + +- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. + +- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. + +- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/versioned_docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/versioned_docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index 1e73af430af9..36a8dec091e5 100644 --- a/versioned_docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/versioned_docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,6 +14,10 @@ Refer to [this guide](logging-best-practices.md) for our recommendations for clu Configuring sensible monitoring and alerting rules is vital for running any production workloads securely and reliably. Refer to this [guide](monitoring-best-practices.md) for our recommendations. +### Disconnected clusters + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. + ### Tips for Setting Up Containers Running well-built containers can greatly impact the overall performance and security of your environment. Refer to this [guide](tips-to-set-up-containers.md) for tips. diff --git a/versioned_docs/version-2.9/api/workflows/projects.md b/versioned_docs/version-2.9/api/workflows/projects.md index d811132828a8..ea4b6fe66f39 100644 --- a/versioned_docs/version-2.9/api/workflows/projects.md +++ b/versioned_docs/version-2.9/api/workflows/projects.md @@ -91,77 +91,6 @@ spec: limitsMemory: 100Mi requestsCpu: 50m requestsMemory: 50Mi -EOF -``` - -## Adding a Member to a Project - -Look up the project ID to specify the `metadata.namespace` field and `projectName` field values. - -```bash -kubectl --namespace c-m-abcde get projects -``` - -Look up the role template ID to specify the `roleTemplateName` field value (e.g. `project-member` or `project-owner`). - -```bash -kubectl get roletemplates -``` - -When adding a user member specify the `userPrincipalName` field: - -```bash -kubectl create -f - < + + + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. + +While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. + +### Best Practices for Managing Disconnected Clusters + +- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. + +- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. + +- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index 1e73af430af9..c0bdf07d88db 100644 --- a/versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,6 +14,10 @@ Refer to [this guide](logging-best-practices.md) for our recommendations for clu Configuring sensible monitoring and alerting rules is vital for running any production workloads securely and reliably. Refer to this [guide](monitoring-best-practices.md) for our recommendations. +### Disconnected clusters + +Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. + ### Tips for Setting Up Containers Running well-built containers can greatly impact the overall performance and security of your environment. Refer to this [guide](tips-to-set-up-containers.md) for tips. diff --git a/versioned_sidebars/version-2.10-sidebars.json b/versioned_sidebars/version-2.10-sidebars.json index 7af1666eee9d..05fe81be8513 100644 --- a/versioned_sidebars/version-2.10-sidebars.json +++ b/versioned_sidebars/version-2.10-sidebars.json @@ -809,7 +809,8 @@ "reference-guides/best-practices/rancher-managed-clusters/logging-best-practices", "reference-guides/best-practices/rancher-managed-clusters/monitoring-best-practices", "reference-guides/best-practices/rancher-managed-clusters/tips-to-set-up-containers", - "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere" + "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere", + "reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters" ] } ] @@ -1253,6 +1254,7 @@ "integrations-in-rancher/monitoring-and-alerting/promql-expressions" ] }, + "integrations-in-rancher/opa-gatekeeper", "integrations-in-rancher/rancher-extensions" ] }, diff --git a/versioned_sidebars/version-2.7-sidebars.json b/versioned_sidebars/version-2.7-sidebars.json index ed7668948664..f0ce986f50f4 100644 --- a/versioned_sidebars/version-2.7-sidebars.json +++ b/versioned_sidebars/version-2.7-sidebars.json @@ -803,7 +803,8 @@ "reference-guides/best-practices/rancher-managed-clusters/logging-best-practices", "reference-guides/best-practices/rancher-managed-clusters/monitoring-best-practices", "reference-guides/best-practices/rancher-managed-clusters/tips-to-set-up-containers", - "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere" + "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere", + "reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters" ] } ] diff --git a/versioned_sidebars/version-2.8-sidebars.json b/versioned_sidebars/version-2.8-sidebars.json index 8124ccb970a1..b8772100addc 100644 --- a/versioned_sidebars/version-2.8-sidebars.json +++ b/versioned_sidebars/version-2.8-sidebars.json @@ -804,7 +804,8 @@ "reference-guides/best-practices/rancher-managed-clusters/logging-best-practices", "reference-guides/best-practices/rancher-managed-clusters/monitoring-best-practices", "reference-guides/best-practices/rancher-managed-clusters/tips-to-set-up-containers", - "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere" + "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere", + "reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters" ] } ] diff --git a/versioned_sidebars/version-2.9-sidebars.json b/versioned_sidebars/version-2.9-sidebars.json index 072459e52284..05fe81be8513 100644 --- a/versioned_sidebars/version-2.9-sidebars.json +++ b/versioned_sidebars/version-2.9-sidebars.json @@ -809,7 +809,8 @@ "reference-guides/best-practices/rancher-managed-clusters/logging-best-practices", "reference-guides/best-practices/rancher-managed-clusters/monitoring-best-practices", "reference-guides/best-practices/rancher-managed-clusters/tips-to-set-up-containers", - "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere" + "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere", + "reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters" ] } ] From d3463104ea57ded8f019b6c1fdd3913772ffac43 Mon Sep 17 00:00:00 2001 From: Sunil Singh Date: Thu, 7 Nov 2024 13:55:36 -0800 Subject: [PATCH 21/29] Revert "Syncing with main" This reverts commit 1584fa9cfcdd59cfb1adfa7f6ea2b7f9f5731e44. --- .../disconnected-clusters.md | 19 ------------------- .../rancher-managed-clusters.md | 4 ---- .../disconnected-clusters.md | 19 ------------------- .../rancher-managed-clusters.md | 4 ---- .../disconnected-clusters.md | 19 ------------------- .../rancher-managed-clusters.md | 4 ---- .../version-2.7/faq/deprecated-features.md | 1 - .../aws-cloud-marketplace/install-adapter.md | 1 - .../disconnected-clusters.md | 19 ------------------- .../rancher-managed-clusters.md | 4 ---- .../reference-guides/rancher-webhook.md | 1 - .../disconnected-clusters.md | 19 ------------------- .../rancher-managed-clusters.md | 4 ---- .../disconnected-clusters.md | 19 ------------------- .../rancher-managed-clusters.md | 4 ---- sidebars.js | 3 +-- src/pages/versions.md | 12 ++---------- .../disconnected-clusters.md | 19 ------------------- .../rancher-managed-clusters.md | 4 ---- .../version-2.7/faq/deprecated-features.md | 3 +-- .../aws-cloud-marketplace/install-adapter.md | 1 - .../disconnected-clusters.md | 19 ------------------- .../rancher-managed-clusters.md | 4 ---- .../reference-guides/rancher-webhook.md | 1 - .../disconnected-clusters.md | 19 ------------------- .../rancher-managed-clusters.md | 4 ---- .../disconnected-clusters.md | 19 ------------------- .../rancher-managed-clusters.md | 4 ---- versioned_sidebars/version-2.10-sidebars.json | 3 +-- versioned_sidebars/version-2.7-sidebars.json | 3 +-- versioned_sidebars/version-2.8-sidebars.json | 3 +-- versioned_sidebars/version-2.9-sidebars.json | 3 +-- 32 files changed, 8 insertions(+), 257 deletions(-) delete mode 100644 docs/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md delete mode 100644 i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md delete mode 100644 i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md delete mode 100644 i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md delete mode 100644 i18n/zh/docusaurus-plugin-content-docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md delete mode 100644 i18n/zh/docusaurus-plugin-content-docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md delete mode 100644 versioned_docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md delete mode 100644 versioned_docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md delete mode 100644 versioned_docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md delete mode 100644 versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md diff --git a/docs/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/docs/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md deleted file mode 100644 index c3c9b7a732df..000000000000 --- a/docs/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Best Practices for Disconnected Clusters ---- - - - - - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. - -While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. - -### Best Practices for Managing Disconnected Clusters - -- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. - -- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. - -- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/docs/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/docs/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index c0bdf07d88db..1e73af430af9 100644 --- a/docs/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/docs/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,10 +14,6 @@ Refer to [this guide](logging-best-practices.md) for our recommendations for clu Configuring sensible monitoring and alerting rules is vital for running any production workloads securely and reliably. Refer to this [guide](monitoring-best-practices.md) for our recommendations. -### Disconnected clusters - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. - ### Tips for Setting Up Containers Running well-built containers can greatly impact the overall performance and security of your environment. Refer to this [guide](tips-to-set-up-containers.md) for tips. diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md deleted file mode 100644 index c3c9b7a732df..000000000000 --- a/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Best Practices for Disconnected Clusters ---- - - - - - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. - -While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. - -### Best Practices for Managing Disconnected Clusters - -- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. - -- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. - -- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index eb6009f41f78..9cd0bd1ca151 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,10 +14,6 @@ title: Rancher 管理集群的最佳实践 配置合理的监控和告警规则对于安全、可靠地运行生产环境中的工作负载至关重要。有关更多建议,请参阅[最佳实践](monitoring-best-practices.md)。 -### Disconnected clusters - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. - ## 设置容器的技巧 配置良好的容器可以极大地提高环境的整体性能和安全性。有关容器设置的建议,请参见[设置容器的技巧](tips-to-set-up-containers.md)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md deleted file mode 100644 index c3c9b7a732df..000000000000 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Best Practices for Disconnected Clusters ---- - - - - - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. - -While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. - -### Best Practices for Managing Disconnected Clusters - -- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. - -- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. - -- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index eb6009f41f78..9cd0bd1ca151 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,10 +14,6 @@ title: Rancher 管理集群的最佳实践 配置合理的监控和告警规则对于安全、可靠地运行生产环境中的工作负载至关重要。有关更多建议,请参阅[最佳实践](monitoring-best-practices.md)。 -### Disconnected clusters - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. - ## 设置容器的技巧 配置良好的容器可以极大地提高环境的整体性能和安全性。有关容器设置的建议,请参见[设置容器的技巧](tips-to-set-up-containers.md)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/faq/deprecated-features.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/faq/deprecated-features.md index e2bb53eddc88..267488febfa0 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/faq/deprecated-features.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/faq/deprecated-features.md @@ -16,7 +16,6 @@ Rancher 将在 GitHub 上发布的 Rancher 的[发版说明](https://github.com/ | Patch Version | Release Date | | ----------------------------------------------------------------- | -------------------| -| [2.7.17](https://github.com/rancher/rancher/releases/tag/v2.7.17) | 2024 年 11 月 05 日 | | [2.7.16](https://github.com/rancher/rancher/releases/tag/v2.7.16) | 2024 年 10 月 24 日 | | [2.7.15](https://github.com/rancher/rancher/releases/tag/v2.7.15) | 2024 年 7 月 31 日 | | [2.7.14](https://github.com/rancher/rancher/releases/tag/v2.7.14) | 2024 年 6 月 17 日 | diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md index 0439b0554d8e..268352f336b5 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md @@ -19,7 +19,6 @@ title: 安装 Adapter | Rancher 版本 | Adapter 版本 | | ------------ | :----------: | -| v2.7.17 | v2.0.4 | | v2.7.16 | v2.0.4 | | v2.7.15 | v2.0.4 | | v2.7.14 | v2.0.4 | diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md deleted file mode 100644 index c3c9b7a732df..000000000000 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Best Practices for Disconnected Clusters ---- - - - - - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. - -While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. - -### Best Practices for Managing Disconnected Clusters - -- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. - -- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. - -- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index 349b3dcbdfe6..e12f1db24983 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,10 +14,6 @@ title: Rancher 管理集群的最佳实践 配置合理的监控和告警规则对于安全、可靠地运行生产环境中的工作负载至关重要。有关更多建议,请参阅[最佳实践](monitoring-best-practices.md)。 -### Disconnected clusters - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. - ### 设置容器的技巧 配置良好的容器可以极大地提高环境的整体性能和安全性。有关容器设置的建议,请参见[设置容器的技巧](tips-to-set-up-containers.md)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/rancher-webhook.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/rancher-webhook.md index fe651722787e..b60bf42ee33a 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/rancher-webhook.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.7/reference-guides/rancher-webhook.md @@ -20,7 +20,6 @@ Rancher 将 Rancher-Webhook 作为单独的 deployment 和服务部署在 local | Rancher Version | Webhook Version | Availability in Prime | Availability in Community | |-----------------|-----------------|-----------------------|---------------------------| -| v2.7.17 | v0.3.13 | ✓ | N/A | | v2.7.16 | v0.3.12 | ✓ | N/A | | v2.7.15 | v0.3.11 | ✓ | N/A | | v2.7.14 | v0.3.11 | ✓ | N/A | diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md deleted file mode 100644 index c3c9b7a732df..000000000000 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Best Practices for Disconnected Clusters ---- - - - - - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. - -While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. - -### Best Practices for Managing Disconnected Clusters - -- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. - -- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. - -- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index eb6009f41f78..9cd0bd1ca151 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,10 +14,6 @@ title: Rancher 管理集群的最佳实践 配置合理的监控和告警规则对于安全、可靠地运行生产环境中的工作负载至关重要。有关更多建议,请参阅[最佳实践](monitoring-best-practices.md)。 -### Disconnected clusters - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. - ## 设置容器的技巧 配置良好的容器可以极大地提高环境的整体性能和安全性。有关容器设置的建议,请参见[设置容器的技巧](tips-to-set-up-containers.md)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md deleted file mode 100644 index c3c9b7a732df..000000000000 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Best Practices for Disconnected Clusters ---- - - - - - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. - -While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. - -### Best Practices for Managing Disconnected Clusters - -- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. - -- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. - -- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index 349b3dcbdfe6..e12f1db24983 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,10 +14,6 @@ title: Rancher 管理集群的最佳实践 配置合理的监控和告警规则对于安全、可靠地运行生产环境中的工作负载至关重要。有关更多建议,请参阅[最佳实践](monitoring-best-practices.md)。 -### Disconnected clusters - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. - ### 设置容器的技巧 配置良好的容器可以极大地提高环境的整体性能和安全性。有关容器设置的建议,请参见[设置容器的技巧](tips-to-set-up-containers.md)。 diff --git a/sidebars.js b/sidebars.js index 707a4ec30560..12a6e77233ef 100644 --- a/sidebars.js +++ b/sidebars.js @@ -845,8 +845,7 @@ const sidebars = { "reference-guides/best-practices/rancher-managed-clusters/logging-best-practices", "reference-guides/best-practices/rancher-managed-clusters/monitoring-best-practices", "reference-guides/best-practices/rancher-managed-clusters/tips-to-set-up-containers", - "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere", - "reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters" + "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere" ] } ] diff --git a/src/pages/versions.md b/src/pages/versions.md index 358b424f7d24..05899853f5a5 100644 --- a/src/pages/versions.md +++ b/src/pages/versions.md @@ -60,9 +60,9 @@ Here you can find links to supporting documentation for the current released ver Community - v2.7.17 + v2.7.16 Documentation - Release Notes + Release Notes
N/A
N/A
@@ -208,14 +208,6 @@ Here you can find links to supporting documentation for previous versions of Ran Prime Community - - v2.7.16 - Documentation - Release Notes -
N/A
-
-
N/A
- v2.7.15 Documentation diff --git a/versioned_docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/versioned_docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md deleted file mode 100644 index c3c9b7a732df..000000000000 --- a/versioned_docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Best Practices for Disconnected Clusters ---- - - - - - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. - -While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. - -### Best Practices for Managing Disconnected Clusters - -- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. - -- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. - -- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/versioned_docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/versioned_docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index 36a8dec091e5..1e73af430af9 100644 --- a/versioned_docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/versioned_docs/version-2.10/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,10 +14,6 @@ Refer to [this guide](logging-best-practices.md) for our recommendations for clu Configuring sensible monitoring and alerting rules is vital for running any production workloads securely and reliably. Refer to this [guide](monitoring-best-practices.md) for our recommendations. -### Disconnected clusters - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. - ### Tips for Setting Up Containers Running well-built containers can greatly impact the overall performance and security of your environment. Refer to this [guide](tips-to-set-up-containers.md) for tips. diff --git a/versioned_docs/version-2.7/faq/deprecated-features.md b/versioned_docs/version-2.7/faq/deprecated-features.md index 6a0710dd106c..3d46bcdaeeb1 100644 --- a/versioned_docs/version-2.7/faq/deprecated-features.md +++ b/versioned_docs/version-2.7/faq/deprecated-features.md @@ -16,8 +16,7 @@ Rancher will publish deprecated features as part of the [release notes](https:// | Patch Version | Release Date | |---------------|---------------| -| [2.7.17](https://github.com/rancher/rancher/releases/tag/v2.7.17) | Nov 5, 2024 | -| [2.7.16](https://github.com/rancher/rancher/releases/tag/v2.7.16) | Oct 24, 2024 | +| [2.7.16](https://github.com/rancher/rancher/releases/tag/v2.7.16) | Oct 24, 2024 | | [2.7.15](https://github.com/rancher/rancher/releases/tag/v2.7.15) | July 31, 2024 | | [2.7.14](https://github.com/rancher/rancher/releases/tag/v2.7.14) | June 17, 2024 | | [2.7.13](https://github.com/rancher/rancher/releases/tag/v2.7.13) | May 16, 2024 | diff --git a/versioned_docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md b/versioned_docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md index 376630d7fcd9..56e32b3c4741 100644 --- a/versioned_docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md +++ b/versioned_docs/version-2.7/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md @@ -19,7 +19,6 @@ In order to deploy and run the adapter successfully, you need to ensure its vers | Rancher Version | Adapter Version | |-----------------|:---------------:| -| v2.7.17 | v2.0.4 | | v2.7.16 | v2.0.4 | | v2.7.15 | v2.0.4 | | v2.7.14 | v2.0.4 | diff --git a/versioned_docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/versioned_docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md deleted file mode 100644 index c3c9b7a732df..000000000000 --- a/versioned_docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Best Practices for Disconnected Clusters ---- - - - - - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. - -While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. - -### Best Practices for Managing Disconnected Clusters - -- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. - -- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. - -- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/versioned_docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/versioned_docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index 36a8dec091e5..1e73af430af9 100644 --- a/versioned_docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/versioned_docs/version-2.7/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,10 +14,6 @@ Refer to [this guide](logging-best-practices.md) for our recommendations for clu Configuring sensible monitoring and alerting rules is vital for running any production workloads securely and reliably. Refer to this [guide](monitoring-best-practices.md) for our recommendations. -### Disconnected clusters - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. - ### Tips for Setting Up Containers Running well-built containers can greatly impact the overall performance and security of your environment. Refer to this [guide](tips-to-set-up-containers.md) for tips. diff --git a/versioned_docs/version-2.7/reference-guides/rancher-webhook.md b/versioned_docs/version-2.7/reference-guides/rancher-webhook.md index 66eaa5b3c4f9..eda9e52c1fd1 100644 --- a/versioned_docs/version-2.7/reference-guides/rancher-webhook.md +++ b/versioned_docs/version-2.7/reference-guides/rancher-webhook.md @@ -20,7 +20,6 @@ Each Rancher version is designed to be compatible with a single version of the w | Rancher Version | Webhook Version | Availability in Prime | Availability in Community | |-----------------|-----------------|-----------------------|---------------------------| -| v2.7.17 | v0.3.13 | ✓ | N/A | | v2.7.16 | v0.3.12 | ✓ | N/A | | v2.7.15 | v0.3.11 | ✓ | N/A | | v2.7.14 | v0.3.11 | ✓ | N/A | diff --git a/versioned_docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/versioned_docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md deleted file mode 100644 index c3c9b7a732df..000000000000 --- a/versioned_docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Best Practices for Disconnected Clusters ---- - - - - - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. - -While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. - -### Best Practices for Managing Disconnected Clusters - -- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. - -- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. - -- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/versioned_docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/versioned_docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index 36a8dec091e5..1e73af430af9 100644 --- a/versioned_docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/versioned_docs/version-2.8/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,10 +14,6 @@ Refer to [this guide](logging-best-practices.md) for our recommendations for clu Configuring sensible monitoring and alerting rules is vital for running any production workloads securely and reliably. Refer to this [guide](monitoring-best-practices.md) for our recommendations. -### Disconnected clusters - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. - ### Tips for Setting Up Containers Running well-built containers can greatly impact the overall performance and security of your environment. Refer to this [guide](tips-to-set-up-containers.md) for tips. diff --git a/versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md b/versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md deleted file mode 100644 index c3c9b7a732df..000000000000 --- a/versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Best Practices for Disconnected Clusters ---- - - - - - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version. - -While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored. - -### Best Practices for Managing Disconnected Clusters - -- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect. - -- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time. - -- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime. diff --git a/versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md b/versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md index c0bdf07d88db..1e73af430af9 100644 --- a/versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md +++ b/versioned_docs/version-2.9/reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters.md @@ -14,10 +14,6 @@ Refer to [this guide](logging-best-practices.md) for our recommendations for clu Configuring sensible monitoring and alerting rules is vital for running any production workloads securely and reliably. Refer to this [guide](monitoring-best-practices.md) for our recommendations. -### Disconnected clusters - -Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations. - ### Tips for Setting Up Containers Running well-built containers can greatly impact the overall performance and security of your environment. Refer to this [guide](tips-to-set-up-containers.md) for tips. diff --git a/versioned_sidebars/version-2.10-sidebars.json b/versioned_sidebars/version-2.10-sidebars.json index 0896e7bbf29c..7af1666eee9d 100644 --- a/versioned_sidebars/version-2.10-sidebars.json +++ b/versioned_sidebars/version-2.10-sidebars.json @@ -809,8 +809,7 @@ "reference-guides/best-practices/rancher-managed-clusters/logging-best-practices", "reference-guides/best-practices/rancher-managed-clusters/monitoring-best-practices", "reference-guides/best-practices/rancher-managed-clusters/tips-to-set-up-containers", - "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere", - "reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters" + "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere" ] } ] diff --git a/versioned_sidebars/version-2.7-sidebars.json b/versioned_sidebars/version-2.7-sidebars.json index f0ce986f50f4..ed7668948664 100644 --- a/versioned_sidebars/version-2.7-sidebars.json +++ b/versioned_sidebars/version-2.7-sidebars.json @@ -803,8 +803,7 @@ "reference-guides/best-practices/rancher-managed-clusters/logging-best-practices", "reference-guides/best-practices/rancher-managed-clusters/monitoring-best-practices", "reference-guides/best-practices/rancher-managed-clusters/tips-to-set-up-containers", - "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere", - "reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters" + "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere" ] } ] diff --git a/versioned_sidebars/version-2.8-sidebars.json b/versioned_sidebars/version-2.8-sidebars.json index b8772100addc..8124ccb970a1 100644 --- a/versioned_sidebars/version-2.8-sidebars.json +++ b/versioned_sidebars/version-2.8-sidebars.json @@ -804,8 +804,7 @@ "reference-guides/best-practices/rancher-managed-clusters/logging-best-practices", "reference-guides/best-practices/rancher-managed-clusters/monitoring-best-practices", "reference-guides/best-practices/rancher-managed-clusters/tips-to-set-up-containers", - "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere", - "reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters" + "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere" ] } ] diff --git a/versioned_sidebars/version-2.9-sidebars.json b/versioned_sidebars/version-2.9-sidebars.json index 05fe81be8513..072459e52284 100644 --- a/versioned_sidebars/version-2.9-sidebars.json +++ b/versioned_sidebars/version-2.9-sidebars.json @@ -809,8 +809,7 @@ "reference-guides/best-practices/rancher-managed-clusters/logging-best-practices", "reference-guides/best-practices/rancher-managed-clusters/monitoring-best-practices", "reference-guides/best-practices/rancher-managed-clusters/tips-to-set-up-containers", - "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere", - "reference-guides/best-practices/rancher-managed-clusters/disconnected-clusters" + "reference-guides/best-practices/rancher-managed-clusters/rancher-managed-clusters-in-vsphere" ] } ] From 3b9a7be3604c7ea719dcf0cc2d4e98527b3a8cc9 Mon Sep 17 00:00:00 2001 From: Gabriel Bueno Date: Tue, 12 Nov 2024 17:37:19 -0300 Subject: [PATCH 22/29] updates csp-adapter docs --- .../aws-cloud-marketplace/install-adapter.md | 1 + .../aws-cloud-marketplace/install-adapter.md | 8 +------- .../aws-cloud-marketplace/install-adapter.md | 2 ++ 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/docs/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md b/docs/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md index 88222845ac56..36ff2d15b66b 100644 --- a/docs/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md +++ b/docs/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md @@ -19,6 +19,7 @@ In order to deploy and run the adapter successfully, you need to ensure its vers | Rancher Version | Adapter Version | |-----------------|------------------| +| v2.10.0 | v105.0.0+up5.0.1 | | v2.9.3 | v104.0.0+up4.0.0 | | v2.9.2 | v104.0.0+up4.0.0 | | v2.9.1 | v104.0.0+up4.0.0 | diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md index 8e3d743ef27a..7a051a8d23bd 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.10/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.10/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md @@ -15,13 +15,7 @@ title: 安装 Adapter | Rancher 版本 | Adapter 版本 | |-----------------|:---------------:| -| v2.7.0 | v2.0.0 | -| v2.7.1 | v2.0.0 | -| v2.7.2 | v2.0.1 | -| v2.7.3 | v2.0.1 | -| v2.7.4 | v2.0.1 | -| v2.7.5 | v2.0.2 | - +| v2.10.0 | v5.0.1 | ## 1. 获取对 Local 集群的访问权限 diff --git a/versioned_docs/version-2.10/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md b/versioned_docs/version-2.10/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md index e2199645e4dc..36ff2d15b66b 100644 --- a/versioned_docs/version-2.10/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md +++ b/versioned_docs/version-2.10/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md @@ -19,6 +19,8 @@ In order to deploy and run the adapter successfully, you need to ensure its vers | Rancher Version | Adapter Version | |-----------------|------------------| +| v2.10.0 | v105.0.0+up5.0.1 | +| v2.9.3 | v104.0.0+up4.0.0 | | v2.9.2 | v104.0.0+up4.0.0 | | v2.9.1 | v104.0.0+up4.0.0 | | v2.9.0 | v104.0.0+up4.0.0 | From 1e6107d8b75034350e561ccdfca78487ca340cdc Mon Sep 17 00:00:00 2001 From: LucasSaintarbor Date: Wed, 13 Nov 2024 09:42:00 -0800 Subject: [PATCH 23/29] [2.10.0] versions table entry --- src/pages/versions.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/src/pages/versions.md b/src/pages/versions.md index 358b424f7d24..e29ca40b4e2c 100644 --- a/src/pages/versions.md +++ b/src/pages/versions.md @@ -6,6 +6,27 @@ title: Rancher Documentation Versions ### Current Versions +Here you can find links to supporting documentation for the current released version of Rancher v2.10, and its availability for [Rancher Prime](/v2.10/getting-started/quick-start-guides/deploy-rancher-manager/prime) and the Community version of Rancher: + + + + + + + + + + + + + + + + + + +
VersionDocumentationRelease NotesSupport MatrixPrimeCommunity
v2.10.0DocumentationRelease Notes
N/A
N/A
+ Here you can find links to supporting documentation for the current released version of Rancher v2.9, and its availability for [Rancher Prime](/v2.8/getting-started/quick-start-guides/deploy-rancher-manager/prime) and the Community version of Rancher: From 81dc8e87b687a8659539cf78f46a7181f9349c0a Mon Sep 17 00:00:00 2001 From: LucasSaintarbor Date: Wed, 13 Nov 2024 12:38:56 -0800 Subject: [PATCH 24/29] [2.10.0] webhook table entry --- docs/reference-guides/rancher-webhook.md | 5 +---- .../version-2.10/reference-guides/rancher-webhook.md | 4 +--- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/docs/reference-guides/rancher-webhook.md b/docs/reference-guides/rancher-webhook.md index 6461253264b5..41685f5766de 100644 --- a/docs/reference-guides/rancher-webhook.md +++ b/docs/reference-guides/rancher-webhook.md @@ -20,10 +20,7 @@ Each Rancher version is designed to be compatible with a single version of the w | Rancher Version | Webhook Version | Availability in Prime | Availability in Community | |-----------------|-----------------|-----------------------|---------------------------| -| v2.9.3 | v0.5.3 | ✓ | ✓ | -| v2.9.2 | v0.5.2 | ✓ | ✓ | -| v2.9.1 | v0.5.1 | ✓ | ✓ | -| v2.9.0 | v0.5.0 | ✗ | ✓ | +| v2.10.0 | v0.6.1 | ✗ | ✓ | ## Why Do We Need It? diff --git a/versioned_docs/version-2.10/reference-guides/rancher-webhook.md b/versioned_docs/version-2.10/reference-guides/rancher-webhook.md index 39223b92d4ef..843f09c06dcb 100644 --- a/versioned_docs/version-2.10/reference-guides/rancher-webhook.md +++ b/versioned_docs/version-2.10/reference-guides/rancher-webhook.md @@ -20,9 +20,7 @@ Each Rancher version is designed to be compatible with a single version of the w | Rancher Version | Webhook Version | Availability in Prime | Availability in Community | |-----------------|-----------------|-----------------------|---------------------------| -| v2.9.2 | v0.5.2 | ✓ | ✓ | -| v2.9.1 | v0.5.1 | ✓ | ✓ | -| v2.9.0 | v0.5.0 | ✗ | ✓ | +| v2.10.0 | v0.6.1 | ✗ | ✓ | ## Why Do We Need It? From 862c65400ad6e45fc473ee4fa648591cbb9ce630 Mon Sep 17 00:00:00 2001 From: LucasSaintarbor Date: Wed, 13 Nov 2024 12:51:05 -0800 Subject: [PATCH 25/29] [2.10.0] deprecated features table entry --- docs/faq/deprecated-features.md | 5 +---- versioned_docs/version-2.10/faq/deprecated-features.md | 4 +--- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/docs/faq/deprecated-features.md b/docs/faq/deprecated-features.md index 405dfdf3ab43..0c3f07cd5b94 100644 --- a/docs/faq/deprecated-features.md +++ b/docs/faq/deprecated-features.md @@ -16,10 +16,7 @@ Rancher will publish deprecated features as part of the [release notes](https:// | Patch Version | Release Date | |---------------|---------------| -| [2.9.3](https://github.com/rancher/rancher/releases/tag/v2.9.3) | Oct 24, 2024 | -| [2.9.2](https://github.com/rancher/rancher/releases/tag/v2.9.2) | Sep 19, 2024 | -| [2.9.1](https://github.com/rancher/rancher/releases/tag/v2.9.1) | Aug 26, 2024 | -| [2.9.0](https://github.com/rancher/rancher/releases/tag/v2.9.0) | Jul 31, 2024 | +| [2.10.0](https://github.com/rancher/rancher/releases/tag/v2.10.0) | Nov 14, 2024 | ## What can I expect when a feature is marked for deprecation? diff --git a/versioned_docs/version-2.10/faq/deprecated-features.md b/versioned_docs/version-2.10/faq/deprecated-features.md index bef8d0165782..0c3f07cd5b94 100644 --- a/versioned_docs/version-2.10/faq/deprecated-features.md +++ b/versioned_docs/version-2.10/faq/deprecated-features.md @@ -16,9 +16,7 @@ Rancher will publish deprecated features as part of the [release notes](https:// | Patch Version | Release Date | |---------------|---------------| -| [2.9.2](https://github.com/rancher/rancher/releases/tag/v2.9.2) | Sep 19, 2024 | -| [2.9.1](https://github.com/rancher/rancher/releases/tag/v2.9.1) | Aug 26, 2024 | -| [2.9.0](https://github.com/rancher/rancher/releases/tag/v2.9.0) | Jul 31, 2024 | +| [2.10.0](https://github.com/rancher/rancher/releases/tag/v2.10.0) | Nov 14, 2024 | ## What can I expect when a feature is marked for deprecation? From f63efb5f6f98ef67f70ff009b07bfa4149a93609 Mon Sep 17 00:00:00 2001 From: Billy Tat Date: Wed, 13 Nov 2024 15:06:15 -0800 Subject: [PATCH 26/29] Add command to get verbose CIS scan results --- .../advanced-user-guides/cis-scan-guides/view-reports.md | 9 ++++++++- .../advanced-user-guides/cis-scan-guides/view-reports.md | 9 ++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/docs/how-to-guides/advanced-user-guides/cis-scan-guides/view-reports.md b/docs/how-to-guides/advanced-user-guides/cis-scan-guides/view-reports.md index 57dc1183deed..bb9045033bc8 100644 --- a/docs/how-to-guides/advanced-user-guides/cis-scan-guides/view-reports.md +++ b/docs/how-to-guides/advanced-user-guides/cis-scan-guides/view-reports.md @@ -13,4 +13,11 @@ To view the generated CIS scan reports, 1. Click **CIS Benchmark > Scan**. 1. The **Scans** page will show the generated reports. To see a detailed report, go to a scan report and click the name. -One can download the report from the Scans list or from the scan detail page. \ No newline at end of file +One can download the report from the Scans list or from the scan detail page. + +To get the verbose version of the CIS scan results, run the following command on the cluster that was scanned. Note that the scan must be completed before this can be done. + +```console +export REPORT="scan-report-name" +kubectl get clusterscanreport $REPORT -o json |jq ".spec.reportJSON | fromjson" | jq -r ".actual_value_map_data" | base64 -d | gunzip | jq . +``` diff --git a/versioned_docs/version-2.10/how-to-guides/advanced-user-guides/cis-scan-guides/view-reports.md b/versioned_docs/version-2.10/how-to-guides/advanced-user-guides/cis-scan-guides/view-reports.md index 57dc1183deed..bb9045033bc8 100644 --- a/versioned_docs/version-2.10/how-to-guides/advanced-user-guides/cis-scan-guides/view-reports.md +++ b/versioned_docs/version-2.10/how-to-guides/advanced-user-guides/cis-scan-guides/view-reports.md @@ -13,4 +13,11 @@ To view the generated CIS scan reports, 1. Click **CIS Benchmark > Scan**. 1. The **Scans** page will show the generated reports. To see a detailed report, go to a scan report and click the name. -One can download the report from the Scans list or from the scan detail page. \ No newline at end of file +One can download the report from the Scans list or from the scan detail page. + +To get the verbose version of the CIS scan results, run the following command on the cluster that was scanned. Note that the scan must be completed before this can be done. + +```console +export REPORT="scan-report-name" +kubectl get clusterscanreport $REPORT -o json |jq ".spec.reportJSON | fromjson" | jq -r ".actual_value_map_data" | base64 -d | gunzip | jq . +``` From c7d0bc872f3bac5c8a2688b1d215110f5e8d7588 Mon Sep 17 00:00:00 2001 From: Gabriel Bueno Date: Thu, 14 Nov 2024 11:42:26 -0300 Subject: [PATCH 27/29] removing 2.9 versions --- .../aws-cloud-marketplace/install-adapter.md | 4 ---- .../aws-cloud-marketplace/install-adapter.md | 4 ---- 2 files changed, 8 deletions(-) diff --git a/docs/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md b/docs/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md index 36ff2d15b66b..e4050d9423bf 100644 --- a/docs/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md +++ b/docs/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md @@ -20,10 +20,6 @@ In order to deploy and run the adapter successfully, you need to ensure its vers | Rancher Version | Adapter Version | |-----------------|------------------| | v2.10.0 | v105.0.0+up5.0.1 | -| v2.9.3 | v104.0.0+up4.0.0 | -| v2.9.2 | v104.0.0+up4.0.0 | -| v2.9.1 | v104.0.0+up4.0.0 | -| v2.9.0 | v104.0.0+up4.0.0 | ### 1. Gain Access to the Local Cluster diff --git a/versioned_docs/version-2.10/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md b/versioned_docs/version-2.10/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md index 36ff2d15b66b..e4050d9423bf 100644 --- a/versioned_docs/version-2.10/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md +++ b/versioned_docs/version-2.10/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md @@ -20,10 +20,6 @@ In order to deploy and run the adapter successfully, you need to ensure its vers | Rancher Version | Adapter Version | |-----------------|------------------| | v2.10.0 | v105.0.0+up5.0.1 | -| v2.9.3 | v104.0.0+up4.0.0 | -| v2.9.2 | v104.0.0+up4.0.0 | -| v2.9.1 | v104.0.0+up4.0.0 | -| v2.9.0 | v104.0.0+up4.0.0 | ### 1. Gain Access to the Local Cluster From 407e7a674a1324ee9ee820d85684c013a2b59754 Mon Sep 17 00:00:00 2001 From: LucasSaintarbor Date: Thu, 14 Nov 2024 08:05:54 -0800 Subject: [PATCH 28/29] Update CNI popularity --- shared-files/_cni-popularity.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/shared-files/_cni-popularity.md b/shared-files/_cni-popularity.md index 5de5c290c9fa..c7d278de4900 100644 --- a/shared-files/_cni-popularity.md +++ b/shared-files/_cni-popularity.md @@ -3,8 +3,8 @@ The following table summarizes different GitHub metrics to give you an idea of e | Provider | Project | Stars | Forks | Contributors | | ---- | ---- | ---- | ---- | ---- | -| Canal | https://github.com/projectcalico/canal | 716 | 100 | 20 | -| Flannel | https://github.com/flannel-io/flannel | 8.8k | 2.9k | 234 | -| Calico | https://github.com/projectcalico/calico | 6.0k | 1.3k | 353 | -| Weave | https://github.com/weaveworks/weave/ | 6.6k | 670 | 85 | -| Cilium | https://github.com/cilium/cilium | 20.0k | 2.9k | 832 | +| Canal | https://github.com/projectcalico/canal | 717 | 100 | 20 | +| Flannel | https://github.com/flannel-io/flannel | 8.8k | 2.9k | 235 | +| Calico | https://github.com/projectcalico/calico | 6.0k | 1.3k | 356 | +| Weave | https://github.com/weaveworks/weave/ | 6.6k | 670 | 84 | +| Cilium | https://github.com/cilium/cilium | 20.2k | 3k | 853 | From ba2657cf700083701fb81938e7b9a49fb37aa302 Mon Sep 17 00:00:00 2001 From: LucasSaintarbor Date: Mon, 18 Nov 2024 10:58:30 -0800 Subject: [PATCH 29/29] [2.10.0] update deprecated features table entry --- docs/faq/deprecated-features.md | 2 +- versioned_docs/version-2.10/faq/deprecated-features.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/faq/deprecated-features.md b/docs/faq/deprecated-features.md index 0c3f07cd5b94..f05b0761ddbd 100644 --- a/docs/faq/deprecated-features.md +++ b/docs/faq/deprecated-features.md @@ -16,7 +16,7 @@ Rancher will publish deprecated features as part of the [release notes](https:// | Patch Version | Release Date | |---------------|---------------| -| [2.10.0](https://github.com/rancher/rancher/releases/tag/v2.10.0) | Nov 14, 2024 | +| [2.10.0](https://github.com/rancher/rancher/releases/tag/v2.10.0) | Nov 18, 2024 | ## What can I expect when a feature is marked for deprecation? diff --git a/versioned_docs/version-2.10/faq/deprecated-features.md b/versioned_docs/version-2.10/faq/deprecated-features.md index 0c3f07cd5b94..f05b0761ddbd 100644 --- a/versioned_docs/version-2.10/faq/deprecated-features.md +++ b/versioned_docs/version-2.10/faq/deprecated-features.md @@ -16,7 +16,7 @@ Rancher will publish deprecated features as part of the [release notes](https:// | Patch Version | Release Date | |---------------|---------------| -| [2.10.0](https://github.com/rancher/rancher/releases/tag/v2.10.0) | Nov 14, 2024 | +| [2.10.0](https://github.com/rancher/rancher/releases/tag/v2.10.0) | Nov 18, 2024 | ## What can I expect when a feature is marked for deprecation?