Merge pull request #3470 from rancher/master

Merge master into staging
2026-05-19 11:25:15 +00:00 · 2021-08-26 17:13:50 -07:00
parent 54eaa37e00 9ec961a05e
commit 08994faa24
9 changed files with 42 additions and 24 deletions
@@ -3,16 +3,16 @@ title: "Disable Components Flags"
 weight: 60
 ---

-When starting K3s server with --cluster-init it will run all control plane components that includes (api server, controller manager, scheduler, and etcd). However you can run server nodes with certain components and execlude others, the following sectiohs will explain how to do that.
+When starting K3s server with --cluster-init it will run all control plane components that includes (api server, controller manager, scheduler, and etcd). However you can run server nodes with certain components and execlude others, the following sections will explain how to do that.

 # ETCD Only Nodes

 This document assumes you run K3s server with embedded etcd by passing `--cluster-init` flag to the server process.

-To run a K3s server with only etcd components you can pass `--disable-api-server --disable-controller-manager --disable-scheduler` flags to k3s, this will result in running a server node with only etcd, for example to run K3s server with those flags:
+To run a K3s server with only etcd components you can pass `--disable-apiserver --disable-controller-manager --disable-scheduler` flags to k3s, this will result in running a server node with only etcd, for example to run K3s server with those flags:

 ```
-curl -fL https://get.k3s.io | sh -s - server --cluster-init --disable-api-server --disable-controller-manager --disable-scheduler
+curl -fL https://get.k3s.io | sh -s - server --cluster-init --disable-apiserver --disable-controller-manager --disable-scheduler
 ```

 You can join other nodes to the cluster normally after that.
@@ -34,12 +34,12 @@ ip-172-31-13-32   Ready    etcd                        5h39m   v1.20.4+k3s1
 ip-172-31-14-69   Ready    control-plane,master        5h39m   v1.20.4+k3s1
 ```

-Note that you can run `kubectl` commands only on the k3s server that has the api running, and you cant run `kubectl` commands on etcd only nodes.
+Note that you can run `kubectl` commands only on the k3s server that has the api running, and you can't run `kubectl` commands on etcd only nodes.


 ### Re-enabling control components

-In both cases you can re-enable any component that you already disabled simply by removing the corresponding flag that disables them, so for example if you want to revert the etcd only node back to a full k3s server with all components you can just remove the following 3 flags `--disable-api-server --disable-controller-manager --disable-scheduler`, so in our example to revert back node `ip-172-31-13-32` to a full k3s server you can just re-run the curl command without the disable flags:
+In both cases you can re-enable any component that you already disabled simply by removing the corresponding flag that disables them, so for example if you want to revert the etcd only node back to a full k3s server with all components you can just remove the following 3 flags `--disable-apiserver --disable-controller-manager --disable-scheduler`, so in our example to revert back node `ip-172-31-13-32` to a full k3s server you can just re-run the curl command without the disable flags:
 ```
 curl -fL https://get.k3s.io | sh -s - server --cluster-init
 ``` 
@@ -57,11 +57,11 @@ Notice that role labels has been re-added to the node `ip-172-31-13-32` with the

 # Add disable flags using the config file

-In any of the previous situation you can use the config file instead of running the curl commands with the associated flags, for example to run an etcd only node you can add the following options to the `/etc/rancher/k3s/config.yaml` file:
+In any of the previous situations you can use the config file instead of running the curl commands with the associated flags, for example to run an etcd only node you can add the following options to the `/etc/rancher/k3s/config.yaml` file:

 ```
 ---
-disable-api-server: true
+disable-apiserver: true
 disable-controller-manager: true
 disable-scheduler: true
 cluster-init: true
@@ -70,4 +70,19 @@ and then start K3s using the curl command without any arguents:

 ```
 curl -fL https://get.k3s.io | sh -
-```
+```
+# Disable components using .skip files
+
+For any yaml file under `/var/lib/rancher/k3s/server/manifests` (coredns, traefik, local-storeage, etc.) you can add a `.skip` file which will cause K3s to not apply the associated yaml file.
+For example, adding `traefik.yaml.skip` in the manifests directory will cause K3s to skip `traefik.yaml`.
+```
+ls /var/lib/rancher/k3s/server/manifests
+ccm.yaml      local-storage.yaml  rolebindings.yaml  traefik.yaml.skip
+coredns.yaml  traefik.yaml
+
+kubectl get pods -A
+NAMESPACE     NAME                                     READY   STATUS    RESTARTS   AGE
+kube-system   local-path-provisioner-64ffb68fd-xx98j   1/1     Running   0          74s
+kube-system   metrics-server-5489f84d5d-7zwkt          1/1     Running   0          74s
+kube-system   coredns-85cb69466-vcq7j                  1/1     Running   0          74s
+```
@@ -46,7 +46,7 @@ When using this method to install K3s, the following environment variables can b
 | `INSTALL_K3S_CHANNEL_URL` | Channel URL for fetching K3s download URL. Defaults to https://update.k3s.io/v1-release/channels. |
 | `INSTALL_K3S_CHANNEL` | Channel to use for fetching K3s download URL. Defaults to "stable". Options include: `stable`, `latest`, `testing`. |

-This example shows where to place aformentioned environment variables as options (after the pipe):
+This example shows where to place aforementioned environment variables as options (after the pipe):

 ```
 curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=latest sh -
@@ -16,7 +16,8 @@ headless: true
 | [Ability to back up your Kubernetes Clusters]({{<baseurl>}}/rancher/v2.0-v2.4/en/cluster-admin/backing-up-etcd/) | ✓ | | |
 | [Ability to recover and restore etcd]({{<baseurl>}}/rancher/v2.0-v2.4/en/cluster-admin/restoring-etcd/) | ✓ | | |
 | [Cleaning Kubernetes components when clusters are no longer reachable from Rancher]({{<baseurl>}}/rancher/v2.0-v2.4/en/cluster-admin/cleaning-cluster-nodes/) | ✓ | | |
-| [Configuring Pod Security Policies]({{<baseurl>}}/rancher/v2.0-v2.4/en/cluster-admin/pod-security-policy/) | ✓ |  | |
+| [Configuring Pod Security Policies]({{<baseurl>}}/rancher/v2.0-v2.4/en/cluster-admin/pod-security-policy/) | ✓ | | |
 | [Running Security Scans]({{<baseurl>}}/rancher/v2.0-v2.4/en/security/security-scan/) | ✓ |  | |
+| [Authorized Cluster Endpoint]({{<baseurl>}}/rancher/v2.0-v2.4/en/cluster-provisioning/rke-clusters/options/#authorized-cluster-endpoint) | ✓ | | |

 \* Cluster configuration options can't be edited for imported clusters, except for K3s clusters.
@@ -108,7 +108,7 @@ _Available as of v2.2.0_

 Authorized Cluster Endpoint can be used to directly access the Kubernetes API server, without requiring communication through Rancher.

-> The authorized cluster endpoint only works on Rancher-launched Kubernetes clusters. In other words, it only works in clusters where Rancher [used RKE]({{<baseurl>}}/rancher/v2.0-v2.4/en/overview/architecture/#tools-for-provisioning-kubernetes-clusters) to provision the cluster. It is not available for clusters in a hosted Kubernetes provider, such as Amazon's EKS.
+> The authorized cluster endpoint is available only in clusters that Rancher has provisioned [using RKE]({{<baseurl>}}/rancher/v2.0-v2.4/en/cluster-provisioning/rke-clusters/options/#authorized-cluster-endpoint). It is not available for clusters in hosted Kubernetes providers, such as Amazon's EKS. Additionally, the authorized cluster endpoint cannot be enabled for RKE clusters that are imported into Rancher; it is available only on Rancher-launched Kubernetes clusters.

 This is enabled by default in Rancher-launched Kubernetes clusters, using the IP of the node with the `controlplane` role and the default Kubernetes self signed certificates.

@@ -17,10 +17,11 @@ headless: true
 | [Configuring Tools (Alerts, Notifiers, Logging, Monitoring, Istio)]({{<baseurl>}}/rancher/v2.5/en/cluster-admin/tools/) | ✓ | ✓ | ✓ | ✓ |
 | [Running Security Scans]({{<baseurl>}}/rancher/v2.5/en/security/security-scan/) | ✓ | ✓ | ✓ | ✓ |
 | [Use existing configuration to create additional clusters]({{<baseurl>}}/rancher/v2.5/en/cluster-admin/cloning-clusters/)| ✓ | ✓ |✓ | |
-| [Ability to rotate certificates]({{<baseurl>}}/rancher/v2.5/en/cluster-admin/certificate-rotation/) | ✓ | ✓  |  | |
+| [Ability to rotate certificates]({{<baseurl>}}/rancher/v2.5/en/cluster-admin/certificate-rotation/) | ✓ | ✓  | | |
 | Ability to [backup]({{<baseurl>}}/rancher/v2.5/en/cluster-admin/backing-up-etcd/) and [restore]({{<baseurl>}}/rancher/v2.5/en/cluster-admin/restoring-etcd/) Rancher-launched clusters | ✓ | ✓ | | ✓<sup>4</sup> |
 | [Cleaning Kubernetes components when clusters are no longer reachable from Rancher]({{<baseurl>}}/rancher/v2.5/en/cluster-admin/cleaning-cluster-nodes/) | ✓ | | | |
-| [Configuring Pod Security Policies]({{<baseurl>}}/rancher/v2.5/en/cluster-admin/pod-security-policy/) | ✓ | ✓ |  ||
+| [Configuring Pod Security Policies]({{<baseurl>}}/rancher/v2.5/en/cluster-admin/pod-security-policy/) | ✓ | ✓ | | |
+| [Authorized Cluster Endpoint]({{<baseurl>}}/rancher/v2.5/en/cluster-provisioning/rke-clusters/options/#authorized-cluster-endpoint) | ✓ | | | |

 1. Registered GKE and EKS clusters have the same options available as GKE and EKS clusters created from the Rancher UI. The  difference is that when a registered cluster is deleted from the Rancher UI, [it is not destroyed.]({{<baseurl>}}/rancher/v2.5/en/cluster-provisioning/registered-clusters/#additional-features-for-registered-eks-and-gke-clusters)

@@ -48,7 +49,8 @@ headless: true
 | [Ability to rotate certificates]({{<baseurl>}}/rancher/v2.5/en/cluster-admin/certificate-rotation/) | ✓ |  | ✓ | |
 | Ability to [backup]({{<baseurl>}}/rancher/v2.5/en/cluster-admin/backing-up-etcd/) and [restore]({{<baseurl>}}/rancher/v2.5/en/cluster-admin/restoring-etcd/) Rancher-launched clusters | ✓ | ✓ | | ✓<sup>3</sup> |
 | [Cleaning Kubernetes components when clusters are no longer reachable from Rancher]({{<baseurl>}}/rancher/v2.5/en/cluster-admin/cleaning-cluster-nodes/) | ✓ | | | |
-| [Configuring Pod Security Policies]({{<baseurl>}}/rancher/v2.5/en/cluster-admin/pod-security-policy/) | ✓ |  | ✓ ||
+| [Configuring Pod Security Policies]({{<baseurl>}}/rancher/v2.5/en/cluster-admin/pod-security-policy/) | ✓ | | ✓ | |
+| [Authorized Cluster Endpoint]({{<baseurl>}}/rancher/v2.5/en/cluster-provisioning/rke-clusters/options/#authorized-cluster-endpoint) | ✓ | | |

 1. Cluster configuration options can't be edited for registered clusters, except for [K3s and RKE2 clusters.]({{<baseurl>}}/rancher/v2.5/en/cluster-provisioning/imported-clusters/)

@@ -108,7 +108,7 @@ See the [RKE documentation on private registries]({{<baseurl>}}/rke/latest/en/co

 Authorized Cluster Endpoint can be used to directly access the Kubernetes API server, without requiring communication through Rancher.

-> The authorized cluster endpoint only works on Rancher-launched Kubernetes clusters. In other words, it only works in clusters where Rancher [used RKE]({{<baseurl>}}/rancher/v2.5/en/overview/architecture/#tools-for-provisioning-kubernetes-clusters) to provision the cluster. It is not available for clusters in a hosted Kubernetes provider, such as Amazon's EKS.
+> The authorized cluster endpoint is available only in clusters that Rancher has provisioned [using RKE]({{<baseurl>}}/rancher/v2.5/en/overview/architecture/#tools-for-provisioning-kubernetes-clusters). It is not available for clusters in hosted Kubernetes providers, such as Amazon's EKS. Additionally, the authorized cluster endpoint cannot be enabled for RKE clusters that are registered with Rancher; it is available only on Rancher-launched Kubernetes clusters.

 This is enabled by default in Rancher-launched Kubernetes clusters, using the IP of the node with the `controlplane` role and the default Kubernetes self signed certificates.

@@ -39,7 +39,7 @@ Furthermore, Istio is implemented in our micro-PaaS "Rio", which works on Ranche

 **Will Rancher v2.x support Hashicorp's Vault for storing secrets?**

-Secrets management is on our roadmap but we haven't assigned it to a specific release yet. 
+There is no built-in integration of Rancher and Hashicorp's Vault. Rancher manages Kubernetes and integrates with secrets via the Kubernetes API. Thus in any downstream (managed) cluster, you can use a secret vault of your choice provided it integrates with Kubernetes, including [Vault](https://www.vaultproject.io/docs/platform/k8s). 

 <br>

@@ -109,7 +109,7 @@ _Available as of v2.2.0_

 Authorized Cluster Endpoint can be used to directly access the Kubernetes API server, without requiring communication through Rancher.

-> The authorized cluster endpoint only works on Rancher-launched Kubernetes clusters. In other words, it only works in clusters where Rancher [used RKE]({{<baseurl>}}/rancher/v2.x/en/overview/architecture/#tools-for-provisioning-kubernetes-clusters) to provision the cluster. It is not available for clusters in a hosted Kubernetes provider, such as Amazon's EKS.
+> The authorized cluster endpoint is available only in clusters that Rancher has provisioned [using RKE]({{<baseurl>}}/rancher/v2.x/en/overview/architecture/#tools-for-provisioning-kubernetes-clusters). It is not available for clusters in hosted Kubernetes providers, such as Amazon's EKS. Additionally, the authorized cluster endpoint cannot be enabled for RKE clusters that are imported into Rancher; it is available only on Rancher-launched Kubernetes clusters.

 This is enabled by default in Rancher-launched Kubernetes clusters, using the IP of the node with the `controlplane` role and the default Kubernetes self signed certificates.

@@ -7,16 +7,16 @@ weight: 5
 <!-- TOC -->
 - [Operating System](#operating-system)
  - [General Linux Requirements](#general-linux-requirements)
-  - [SUSE Linux Enterprise Server (SLES) / openSUSE](#suse-linux-enterprise-server-sles--opensuse)
+  - [SUSE Linux Enterprise Server (SLES) / openSUSE](#suse-linux-enterprise-server-sles-opensuse)
    - [Using Upstream Docker](#using-upstream-docker)
-    - [Using SUSE/openSUSE packaged Docker](#using-suseopensuse-packaged-docker)
+    - [Using SUSE/openSUSE packaged Docker](#using-suse-opensuse-packaged-docker)
    - [Adding the Software Repository for Docker](#adding-the-software-repository-for-docker)
-  - [openSUSE MicroOS/Kubic (Atomic)](#opensuse-microoskubic-atomic)
+  - [openSUSE MicroOS/Kubic (Atomic)](#opensuse-microos-kubic-atomic)
    - [openSUSE MicroOS](#opensuse-microos)
    - [openSUSE Kubic](#opensuse-kubic)
-  - [Red Hat Enterprise Linux (RHEL) / Oracle Linux (OL) / CentOS](#red-hat-enterprise-linux-rhel--oracle-linux-ol--centos)
+  - [Red Hat Enterprise Linux (RHEL) / Oracle Linux (OL) / CentOS](#red-hat-enterprise-linux-rhel-oracle-linux-ol-centos)
    - [Using upstream Docker](#using-upstream-docker-1)
-    - [Using RHEL/CentOS packaged Docker](#using-rhelcentos-packaged-docker)
+    - [Using RHEL/CentOS packaged Docker](#using-rhel-centos-packaged-docker)
  - [Red Hat Atomic](#red-hat-atomic)
    - [OpenSSH version](#openssh-version)
    - [Creating a Docker Group](#creating-a-docker-group)
@@ -28,8 +28,8 @@ weight: 5
  - [Installing Docker](#installing-docker)
  - [Checking the Installed Docker Version](#checking-the-installed-docker-version)
 - [Ports](#ports)
-  - [Opening port TCP/6443 using `iptables`](#opening-port-tcp6443-using-iptables)
-  - [Opening port TCP/6443 using `firewalld`](#opening-port-tcp6443-using-firewalld)
+  - [Opening port TCP/6443 using `iptables`](#opening-port-tcp-6443-using-iptables)
+  - [Opening port TCP/6443 using `firewalld`](#opening-port-tcp-6443-using-firewalld)
 - [SSH Server Configuration](#ssh-server-configuration)

 <!-- /TOC -->