diff --git a/content/k3s/latest/en/installation/disable-flags/_index.md b/content/k3s/latest/en/installation/disable-flags/_index.md index 6652c85d704..83b6b692cca 100644 --- a/content/k3s/latest/en/installation/disable-flags/_index.md +++ b/content/k3s/latest/en/installation/disable-flags/_index.md @@ -3,16 +3,16 @@ title: "Disable Components Flags" weight: 60 --- -When starting K3s server with --cluster-init it will run all control plane components that includes (api server, controller manager, scheduler, and etcd). However you can run server nodes with certain components and execlude others, the following sectiohs will explain how to do that. +When starting K3s server with --cluster-init it will run all control plane components that includes (api server, controller manager, scheduler, and etcd). However you can run server nodes with certain components and execlude others, the following sections will explain how to do that. # ETCD Only Nodes This document assumes you run K3s server with embedded etcd by passing `--cluster-init` flag to the server process. -To run a K3s server with only etcd components you can pass `--disable-api-server --disable-controller-manager --disable-scheduler` flags to k3s, this will result in running a server node with only etcd, for example to run K3s server with those flags: +To run a K3s server with only etcd components you can pass `--disable-apiserver --disable-controller-manager --disable-scheduler` flags to k3s, this will result in running a server node with only etcd, for example to run K3s server with those flags: ``` -curl -fL https://get.k3s.io | sh -s - server --cluster-init --disable-api-server --disable-controller-manager --disable-scheduler +curl -fL https://get.k3s.io | sh -s - server --cluster-init --disable-apiserver --disable-controller-manager --disable-scheduler ``` You can join other nodes to the cluster normally after that. @@ -34,12 +34,12 @@ ip-172-31-13-32 Ready etcd 5h39m v1.20.4+k3s1 ip-172-31-14-69 Ready control-plane,master 5h39m v1.20.4+k3s1 ``` -Note that you can run `kubectl` commands only on the k3s server that has the api running, and you cant run `kubectl` commands on etcd only nodes. +Note that you can run `kubectl` commands only on the k3s server that has the api running, and you can't run `kubectl` commands on etcd only nodes. ### Re-enabling control components -In both cases you can re-enable any component that you already disabled simply by removing the corresponding flag that disables them, so for example if you want to revert the etcd only node back to a full k3s server with all components you can just remove the following 3 flags `--disable-api-server --disable-controller-manager --disable-scheduler`, so in our example to revert back node `ip-172-31-13-32` to a full k3s server you can just re-run the curl command without the disable flags: +In both cases you can re-enable any component that you already disabled simply by removing the corresponding flag that disables them, so for example if you want to revert the etcd only node back to a full k3s server with all components you can just remove the following 3 flags `--disable-apiserver --disable-controller-manager --disable-scheduler`, so in our example to revert back node `ip-172-31-13-32` to a full k3s server you can just re-run the curl command without the disable flags: ``` curl -fL https://get.k3s.io | sh -s - server --cluster-init ``` @@ -57,11 +57,11 @@ Notice that role labels has been re-added to the node `ip-172-31-13-32` with the # Add disable flags using the config file -In any of the previous situation you can use the config file instead of running the curl commands with the associated flags, for example to run an etcd only node you can add the following options to the `/etc/rancher/k3s/config.yaml` file: +In any of the previous situations you can use the config file instead of running the curl commands with the associated flags, for example to run an etcd only node you can add the following options to the `/etc/rancher/k3s/config.yaml` file: ``` --- -disable-api-server: true +disable-apiserver: true disable-controller-manager: true disable-scheduler: true cluster-init: true @@ -70,4 +70,19 @@ and then start K3s using the curl command without any arguents: ``` curl -fL https://get.k3s.io | sh - -``` \ No newline at end of file +``` +# Disable components using .skip files + +For any yaml file under `/var/lib/rancher/k3s/server/manifests` (coredns, traefik, local-storeage, etc.) you can add a `.skip` file which will cause K3s to not apply the associated yaml file. +For example, adding `traefik.yaml.skip` in the manifests directory will cause K3s to skip `traefik.yaml`. +``` +ls /var/lib/rancher/k3s/server/manifests +ccm.yaml local-storage.yaml rolebindings.yaml traefik.yaml.skip +coredns.yaml traefik.yaml + +kubectl get pods -A +NAMESPACE NAME READY STATUS RESTARTS AGE +kube-system local-path-provisioner-64ffb68fd-xx98j 1/1 Running 0 74s +kube-system metrics-server-5489f84d5d-7zwkt 1/1 Running 0 74s +kube-system coredns-85cb69466-vcq7j 1/1 Running 0 74s +``` diff --git a/content/k3s/latest/en/installation/install-options/_index.md b/content/k3s/latest/en/installation/install-options/_index.md index af4845e5f50..e38f4cb7f01 100644 --- a/content/k3s/latest/en/installation/install-options/_index.md +++ b/content/k3s/latest/en/installation/install-options/_index.md @@ -46,7 +46,7 @@ When using this method to install K3s, the following environment variables can b | `INSTALL_K3S_CHANNEL_URL` | Channel URL for fetching K3s download URL. Defaults to https://update.k3s.io/v1-release/channels. | | `INSTALL_K3S_CHANNEL` | Channel to use for fetching K3s download URL. Defaults to "stable". Options include: `stable`, `latest`, `testing`. | -This example shows where to place aformentioned environment variables as options (after the pipe): +This example shows where to place aforementioned environment variables as options (after the pipe): ``` curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=latest sh - diff --git a/content/rancher/v2.0-v2.4/en/cluster-provisioning/cluster-capabilities-table/index.md b/content/rancher/v2.0-v2.4/en/cluster-provisioning/cluster-capabilities-table/index.md index 2af054da595..a1c3bb4f8e6 100644 --- a/content/rancher/v2.0-v2.4/en/cluster-provisioning/cluster-capabilities-table/index.md +++ b/content/rancher/v2.0-v2.4/en/cluster-provisioning/cluster-capabilities-table/index.md @@ -16,7 +16,8 @@ headless: true | [Ability to back up your Kubernetes Clusters]({{}}/rancher/v2.0-v2.4/en/cluster-admin/backing-up-etcd/) | ✓ | | | | [Ability to recover and restore etcd]({{}}/rancher/v2.0-v2.4/en/cluster-admin/restoring-etcd/) | ✓ | | | | [Cleaning Kubernetes components when clusters are no longer reachable from Rancher]({{}}/rancher/v2.0-v2.4/en/cluster-admin/cleaning-cluster-nodes/) | ✓ | | | -| [Configuring Pod Security Policies]({{}}/rancher/v2.0-v2.4/en/cluster-admin/pod-security-policy/) | ✓ | | | +| [Configuring Pod Security Policies]({{}}/rancher/v2.0-v2.4/en/cluster-admin/pod-security-policy/) | ✓ | | | | [Running Security Scans]({{}}/rancher/v2.0-v2.4/en/security/security-scan/) | ✓ | | | +| [Authorized Cluster Endpoint]({{}}/rancher/v2.0-v2.4/en/cluster-provisioning/rke-clusters/options/#authorized-cluster-endpoint) | ✓ | | | \* Cluster configuration options can't be edited for imported clusters, except for K3s clusters. diff --git a/content/rancher/v2.0-v2.4/en/cluster-provisioning/rke-clusters/options/_index.md b/content/rancher/v2.0-v2.4/en/cluster-provisioning/rke-clusters/options/_index.md index bc6c50f0c99..a02c277da87 100644 --- a/content/rancher/v2.0-v2.4/en/cluster-provisioning/rke-clusters/options/_index.md +++ b/content/rancher/v2.0-v2.4/en/cluster-provisioning/rke-clusters/options/_index.md @@ -108,7 +108,7 @@ _Available as of v2.2.0_ Authorized Cluster Endpoint can be used to directly access the Kubernetes API server, without requiring communication through Rancher. -> The authorized cluster endpoint only works on Rancher-launched Kubernetes clusters. In other words, it only works in clusters where Rancher [used RKE]({{}}/rancher/v2.0-v2.4/en/overview/architecture/#tools-for-provisioning-kubernetes-clusters) to provision the cluster. It is not available for clusters in a hosted Kubernetes provider, such as Amazon's EKS. +> The authorized cluster endpoint is available only in clusters that Rancher has provisioned [using RKE]({{}}/rancher/v2.0-v2.4/en/cluster-provisioning/rke-clusters/options/#authorized-cluster-endpoint). It is not available for clusters in hosted Kubernetes providers, such as Amazon's EKS. Additionally, the authorized cluster endpoint cannot be enabled for RKE clusters that are imported into Rancher; it is available only on Rancher-launched Kubernetes clusters. This is enabled by default in Rancher-launched Kubernetes clusters, using the IP of the node with the `controlplane` role and the default Kubernetes self signed certificates. diff --git a/content/rancher/v2.5/en/cluster-provisioning/cluster-capabilities-table/index.md b/content/rancher/v2.5/en/cluster-provisioning/cluster-capabilities-table/index.md index 17ee1f9c6a1..ecd96cc3210 100644 --- a/content/rancher/v2.5/en/cluster-provisioning/cluster-capabilities-table/index.md +++ b/content/rancher/v2.5/en/cluster-provisioning/cluster-capabilities-table/index.md @@ -17,10 +17,11 @@ headless: true | [Configuring Tools (Alerts, Notifiers, Logging, Monitoring, Istio)]({{}}/rancher/v2.5/en/cluster-admin/tools/) | ✓ | ✓ | ✓ | ✓ | | [Running Security Scans]({{}}/rancher/v2.5/en/security/security-scan/) | ✓ | ✓ | ✓ | ✓ | | [Use existing configuration to create additional clusters]({{}}/rancher/v2.5/en/cluster-admin/cloning-clusters/)| ✓ | ✓ |✓ | | -| [Ability to rotate certificates]({{}}/rancher/v2.5/en/cluster-admin/certificate-rotation/) | ✓ | ✓ | | | +| [Ability to rotate certificates]({{}}/rancher/v2.5/en/cluster-admin/certificate-rotation/) | ✓ | ✓ | | | | Ability to [backup]({{}}/rancher/v2.5/en/cluster-admin/backing-up-etcd/) and [restore]({{}}/rancher/v2.5/en/cluster-admin/restoring-etcd/) Rancher-launched clusters | ✓ | ✓ | | ✓4 | | [Cleaning Kubernetes components when clusters are no longer reachable from Rancher]({{}}/rancher/v2.5/en/cluster-admin/cleaning-cluster-nodes/) | ✓ | | | | -| [Configuring Pod Security Policies]({{}}/rancher/v2.5/en/cluster-admin/pod-security-policy/) | ✓ | ✓ | || +| [Configuring Pod Security Policies]({{}}/rancher/v2.5/en/cluster-admin/pod-security-policy/) | ✓ | ✓ | | | +| [Authorized Cluster Endpoint]({{}}/rancher/v2.5/en/cluster-provisioning/rke-clusters/options/#authorized-cluster-endpoint) | ✓ | | | | 1. Registered GKE and EKS clusters have the same options available as GKE and EKS clusters created from the Rancher UI. The difference is that when a registered cluster is deleted from the Rancher UI, [it is not destroyed.]({{}}/rancher/v2.5/en/cluster-provisioning/registered-clusters/#additional-features-for-registered-eks-and-gke-clusters) @@ -48,7 +49,8 @@ headless: true | [Ability to rotate certificates]({{}}/rancher/v2.5/en/cluster-admin/certificate-rotation/) | ✓ | | ✓ | | | Ability to [backup]({{}}/rancher/v2.5/en/cluster-admin/backing-up-etcd/) and [restore]({{}}/rancher/v2.5/en/cluster-admin/restoring-etcd/) Rancher-launched clusters | ✓ | ✓ | | ✓3 | | [Cleaning Kubernetes components when clusters are no longer reachable from Rancher]({{}}/rancher/v2.5/en/cluster-admin/cleaning-cluster-nodes/) | ✓ | | | | -| [Configuring Pod Security Policies]({{}}/rancher/v2.5/en/cluster-admin/pod-security-policy/) | ✓ | | ✓ || +| [Configuring Pod Security Policies]({{}}/rancher/v2.5/en/cluster-admin/pod-security-policy/) | ✓ | | ✓ | | +| [Authorized Cluster Endpoint]({{}}/rancher/v2.5/en/cluster-provisioning/rke-clusters/options/#authorized-cluster-endpoint) | ✓ | | | 1. Cluster configuration options can't be edited for registered clusters, except for [K3s and RKE2 clusters.]({{}}/rancher/v2.5/en/cluster-provisioning/imported-clusters/) diff --git a/content/rancher/v2.5/en/cluster-provisioning/rke-clusters/options/_index.md b/content/rancher/v2.5/en/cluster-provisioning/rke-clusters/options/_index.md index aef26507b12..7105f8937d3 100644 --- a/content/rancher/v2.5/en/cluster-provisioning/rke-clusters/options/_index.md +++ b/content/rancher/v2.5/en/cluster-provisioning/rke-clusters/options/_index.md @@ -108,7 +108,7 @@ See the [RKE documentation on private registries]({{}}/rke/latest/en/co Authorized Cluster Endpoint can be used to directly access the Kubernetes API server, without requiring communication through Rancher. -> The authorized cluster endpoint only works on Rancher-launched Kubernetes clusters. In other words, it only works in clusters where Rancher [used RKE]({{}}/rancher/v2.5/en/overview/architecture/#tools-for-provisioning-kubernetes-clusters) to provision the cluster. It is not available for clusters in a hosted Kubernetes provider, such as Amazon's EKS. +> The authorized cluster endpoint is available only in clusters that Rancher has provisioned [using RKE]({{}}/rancher/v2.5/en/overview/architecture/#tools-for-provisioning-kubernetes-clusters). It is not available for clusters in hosted Kubernetes providers, such as Amazon's EKS. Additionally, the authorized cluster endpoint cannot be enabled for RKE clusters that are registered with Rancher; it is available only on Rancher-launched Kubernetes clusters. This is enabled by default in Rancher-launched Kubernetes clusters, using the IP of the node with the `controlplane` role and the default Kubernetes self signed certificates. diff --git a/content/rancher/v2.5/en/faq/_index.md b/content/rancher/v2.5/en/faq/_index.md index 7cd76f88e5d..47366434f30 100644 --- a/content/rancher/v2.5/en/faq/_index.md +++ b/content/rancher/v2.5/en/faq/_index.md @@ -39,7 +39,7 @@ Furthermore, Istio is implemented in our micro-PaaS "Rio", which works on Ranche **Will Rancher v2.x support Hashicorp's Vault for storing secrets?** -Secrets management is on our roadmap but we haven't assigned it to a specific release yet. +There is no built-in integration of Rancher and Hashicorp's Vault. Rancher manages Kubernetes and integrates with secrets via the Kubernetes API. Thus in any downstream (managed) cluster, you can use a secret vault of your choice provided it integrates with Kubernetes, including [Vault](https://www.vaultproject.io/docs/platform/k8s).
diff --git a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/_index.md b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/_index.md index a7f4c4580d3..a03651da243 100644 --- a/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/_index.md +++ b/content/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/_index.md @@ -109,7 +109,7 @@ _Available as of v2.2.0_ Authorized Cluster Endpoint can be used to directly access the Kubernetes API server, without requiring communication through Rancher. -> The authorized cluster endpoint only works on Rancher-launched Kubernetes clusters. In other words, it only works in clusters where Rancher [used RKE]({{}}/rancher/v2.x/en/overview/architecture/#tools-for-provisioning-kubernetes-clusters) to provision the cluster. It is not available for clusters in a hosted Kubernetes provider, such as Amazon's EKS. +> The authorized cluster endpoint is available only in clusters that Rancher has provisioned [using RKE]({{}}/rancher/v2.x/en/overview/architecture/#tools-for-provisioning-kubernetes-clusters). It is not available for clusters in hosted Kubernetes providers, such as Amazon's EKS. Additionally, the authorized cluster endpoint cannot be enabled for RKE clusters that are imported into Rancher; it is available only on Rancher-launched Kubernetes clusters. This is enabled by default in Rancher-launched Kubernetes clusters, using the IP of the node with the `controlplane` role and the default Kubernetes self signed certificates. diff --git a/content/rke/latest/en/os/_index.md b/content/rke/latest/en/os/_index.md index 843d66304e5..d60aa9c39ed 100644 --- a/content/rke/latest/en/os/_index.md +++ b/content/rke/latest/en/os/_index.md @@ -7,16 +7,16 @@ weight: 5 - [Operating System](#operating-system) - [General Linux Requirements](#general-linux-requirements) - - [SUSE Linux Enterprise Server (SLES) / openSUSE](#suse-linux-enterprise-server-sles--opensuse) + - [SUSE Linux Enterprise Server (SLES) / openSUSE](#suse-linux-enterprise-server-sles-opensuse) - [Using Upstream Docker](#using-upstream-docker) - - [Using SUSE/openSUSE packaged Docker](#using-suseopensuse-packaged-docker) + - [Using SUSE/openSUSE packaged Docker](#using-suse-opensuse-packaged-docker) - [Adding the Software Repository for Docker](#adding-the-software-repository-for-docker) - - [openSUSE MicroOS/Kubic (Atomic)](#opensuse-microoskubic-atomic) + - [openSUSE MicroOS/Kubic (Atomic)](#opensuse-microos-kubic-atomic) - [openSUSE MicroOS](#opensuse-microos) - [openSUSE Kubic](#opensuse-kubic) - - [Red Hat Enterprise Linux (RHEL) / Oracle Linux (OL) / CentOS](#red-hat-enterprise-linux-rhel--oracle-linux-ol--centos) + - [Red Hat Enterprise Linux (RHEL) / Oracle Linux (OL) / CentOS](#red-hat-enterprise-linux-rhel-oracle-linux-ol-centos) - [Using upstream Docker](#using-upstream-docker-1) - - [Using RHEL/CentOS packaged Docker](#using-rhelcentos-packaged-docker) + - [Using RHEL/CentOS packaged Docker](#using-rhel-centos-packaged-docker) - [Red Hat Atomic](#red-hat-atomic) - [OpenSSH version](#openssh-version) - [Creating a Docker Group](#creating-a-docker-group) @@ -28,8 +28,8 @@ weight: 5 - [Installing Docker](#installing-docker) - [Checking the Installed Docker Version](#checking-the-installed-docker-version) - [Ports](#ports) - - [Opening port TCP/6443 using `iptables`](#opening-port-tcp6443-using-iptables) - - [Opening port TCP/6443 using `firewalld`](#opening-port-tcp6443-using-firewalld) + - [Opening port TCP/6443 using `iptables`](#opening-port-tcp-6443-using-iptables) + - [Opening port TCP/6443 using `firewalld`](#opening-port-tcp-6443-using-firewalld) - [SSH Server Configuration](#ssh-server-configuration)