diff --git a/docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index ae248cc9b7c..361adde18a6 100644 --- a/docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -17,6 +17,7 @@ plugins: - cattle-system - cattle-epinio-system - cattle-fleet-system + - cattle-fleet-local-system - longhorn-system - cattle-neuvector-system - cattle-monitoring-system @@ -32,6 +33,7 @@ plugins: - cattle-sriov-system - cattle-ui-plugin-system - tigera-operator + - cattle-provisioning-capi-system kind: PodSecurityConfiguration name: PodSecurity - path: "" \ No newline at end of file + path: "" diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index dac4d66ee52..b85fd487935 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -85,12 +85,13 @@ Any user that is bound to the above permission will be able to change the restri ## Exempting Required Rancher Namespaces -When you run Rancher on a Kubernetes cluster that enforces a restrictive security policy by default, you'll need to [exempt the following namespaces](#exempting-namespaces), otherwise the policy might prevent Rancher system pods from running properly. +When you run Rancher on a Kubernetes cluster that enforces a restrictive security policy by default, you'll need to [exempt the following namespaces](#exempting-namespaces), otherwise the policy might prevent Rancher system pods from running properly. - `calico-apiserver` - `calico-system` - `cattle-alerting` - `cattle-csp-adapter-system` +- `cattle-elemental-system` - `cattle-epinio-system` - `cattle-externalip-system` - `cattle-fleet-local-system` @@ -106,6 +107,8 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `cattle-monitoring-system` - `cattle-neuvector-system` - `cattle-prometheus` +- `cattle-provisioning-capi-system` +- `cattle-resources-system` - `cattle-sriov-system` - `cattle-system` - `cattle-ui-plugin-system` diff --git a/docs/pages-for-subheaders/installation-requirements.md b/docs/pages-for-subheaders/installation-requirements.md index e90c3bbd087..758b6fea806 100644 --- a/docs/pages-for-subheaders/installation-requirements.md +++ b/docs/pages-for-subheaders/installation-requirements.md @@ -23,6 +23,10 @@ See our page on [best practices](../reference-guides/best-practices/rancher-serv Rancher needs to be installed on a supported Kubernetes version. Consult the [Rancher support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions) to ensure that your intended version of Kubernetes is supported. +### Install Rancher on a Hardened Kubernetes cluster + +If you install Rancher on a hardened Kubernetes cluster, check the [Exempting Required Rancher Namespaces](../../../docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md#exempting-required-rancher-namespaces) section for detailed requirements. + ## Operating Systems and Container Runtime Requirements All supported operating systems are 64-bit x86. Rancher should work with any modern Linux distribution. diff --git a/docs/pages-for-subheaders/rke1-hardening-guide.md b/docs/pages-for-subheaders/rke1-hardening-guide.md index 4d6f97e18c7..effc11a78bf 100644 --- a/docs/pages-for-subheaders/rke1-hardening-guide.md +++ b/docs/pages-for-subheaders/rke1-hardening-guide.md @@ -209,41 +209,44 @@ services: exemptions: usernames: [] runtimeClasses: [] - namespaces: [ calico-apiserver, - calico-system, - cattle-alerting, - cattle-csp-adapter-system, - cattle-epinio-system, - cattle-externalip-system, - cattle-fleet-local-system, - cattle-fleet-system, - cattle-gatekeeper-system, - cattle-global-data, - cattle-global-nt, - cattle-impersonation-system, - cattle-istio, - cattle-istio-system, - cattle-logging, - cattle-logging-system, - cattle-monitoring-system, - cattle-neuvector-system, - cattle-prometheus, - cattle-sriov-system, - cattle-system, - cattle-ui-plugin-system, - cattle-windows-gmsa-system, - cert-manager, - cis-operator-system, - fleet-default, - ingress-nginx, - istio-system, - kube-node-lease, - kube-public, - kube-system, - longhorn-system, - rancher-alerting-drivers, - security-scan, - tigera-operator ] + namespaces: [calico-apiserver, + calico-system, + cattle-alerting, + cattle-csp-adapter-system, + cattle-elemental-system, + cattle-epinio-system, + cattle-externalip-system, + cattle-fleet-local-system, + cattle-fleet-system, + cattle-gatekeeper-system, + cattle-global-data, + cattle-global-nt, + cattle-impersonation-system, + cattle-istio, + cattle-istio-system, + cattle-logging, + cattle-logging-system, + cattle-monitoring-system, + cattle-neuvector-system, + cattle-prometheus, + cattle-provisioning-capi-system, + cattle-resources-system, + cattle-sriov-system, + cattle-system, + cattle-ui-plugin-system, + cattle-windows-gmsa-system, + cert-manager, + cis-operator-system, + fleet-default, + ingress-nginx, + istio-system, + kube-node-lease, + kube-public, + kube-system, + longhorn-system, + rancher-alerting-drivers, + security-scan, + tigera-operator] kube-controller: extra_args: feature-gates: RotateKubeletServerCertificate=true diff --git a/docs/reference-guides/rancher-security/psa-restricted-exemptions.md b/docs/reference-guides/rancher-security/psa-restricted-exemptions.md index 0f35551cf31..f9e68addefb 100644 --- a/docs/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/docs/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -46,6 +46,7 @@ plugins: cattle-monitoring-system, cattle-neuvector-system, cattle-prometheus, + cattle-provisioning-capi-system, cattle-resources-system, cattle-sriov-system, cattle-system, diff --git a/sidebars.js b/sidebars.js index 71e5f0a46d6..2e8491500b0 100644 --- a/sidebars.js +++ b/sidebars.js @@ -57,7 +57,7 @@ const sidebars = { "getting-started/quick-start-guides/deploy-rancher-manager/prime", { type: 'category', - label: 'Deploy Rancher Workloads', + label: 'Deploy Workloads', link: { type: 'doc', id: "pages-for-subheaders/deploy-rancher-workloads", diff --git a/versioned_docs/version-2.7/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/versioned_docs/version-2.7/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index ae248cc9b7c..361adde18a6 100644 --- a/versioned_docs/version-2.7/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/versioned_docs/version-2.7/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -17,6 +17,7 @@ plugins: - cattle-system - cattle-epinio-system - cattle-fleet-system + - cattle-fleet-local-system - longhorn-system - cattle-neuvector-system - cattle-monitoring-system @@ -32,6 +33,7 @@ plugins: - cattle-sriov-system - cattle-ui-plugin-system - tigera-operator + - cattle-provisioning-capi-system kind: PodSecurityConfiguration name: PodSecurity - path: "" \ No newline at end of file + path: "" diff --git a/versioned_docs/version-2.7/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/versioned_docs/version-2.7/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index dac4d66ee52..b85fd487935 100644 --- a/versioned_docs/version-2.7/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/versioned_docs/version-2.7/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -85,12 +85,13 @@ Any user that is bound to the above permission will be able to change the restri ## Exempting Required Rancher Namespaces -When you run Rancher on a Kubernetes cluster that enforces a restrictive security policy by default, you'll need to [exempt the following namespaces](#exempting-namespaces), otherwise the policy might prevent Rancher system pods from running properly. +When you run Rancher on a Kubernetes cluster that enforces a restrictive security policy by default, you'll need to [exempt the following namespaces](#exempting-namespaces), otherwise the policy might prevent Rancher system pods from running properly. - `calico-apiserver` - `calico-system` - `cattle-alerting` - `cattle-csp-adapter-system` +- `cattle-elemental-system` - `cattle-epinio-system` - `cattle-externalip-system` - `cattle-fleet-local-system` @@ -106,6 +107,8 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `cattle-monitoring-system` - `cattle-neuvector-system` - `cattle-prometheus` +- `cattle-provisioning-capi-system` +- `cattle-resources-system` - `cattle-sriov-system` - `cattle-system` - `cattle-ui-plugin-system` diff --git a/versioned_docs/version-2.7/pages-for-subheaders/installation-requirements.md b/versioned_docs/version-2.7/pages-for-subheaders/installation-requirements.md index e90c3bbd087..758b6fea806 100644 --- a/versioned_docs/version-2.7/pages-for-subheaders/installation-requirements.md +++ b/versioned_docs/version-2.7/pages-for-subheaders/installation-requirements.md @@ -23,6 +23,10 @@ See our page on [best practices](../reference-guides/best-practices/rancher-serv Rancher needs to be installed on a supported Kubernetes version. Consult the [Rancher support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions) to ensure that your intended version of Kubernetes is supported. +### Install Rancher on a Hardened Kubernetes cluster + +If you install Rancher on a hardened Kubernetes cluster, check the [Exempting Required Rancher Namespaces](../../../docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md#exempting-required-rancher-namespaces) section for detailed requirements. + ## Operating Systems and Container Runtime Requirements All supported operating systems are 64-bit x86. Rancher should work with any modern Linux distribution. diff --git a/versioned_docs/version-2.7/pages-for-subheaders/rke1-hardening-guide.md b/versioned_docs/version-2.7/pages-for-subheaders/rke1-hardening-guide.md index 4d6f97e18c7..effc11a78bf 100644 --- a/versioned_docs/version-2.7/pages-for-subheaders/rke1-hardening-guide.md +++ b/versioned_docs/version-2.7/pages-for-subheaders/rke1-hardening-guide.md @@ -209,41 +209,44 @@ services: exemptions: usernames: [] runtimeClasses: [] - namespaces: [ calico-apiserver, - calico-system, - cattle-alerting, - cattle-csp-adapter-system, - cattle-epinio-system, - cattle-externalip-system, - cattle-fleet-local-system, - cattle-fleet-system, - cattle-gatekeeper-system, - cattle-global-data, - cattle-global-nt, - cattle-impersonation-system, - cattle-istio, - cattle-istio-system, - cattle-logging, - cattle-logging-system, - cattle-monitoring-system, - cattle-neuvector-system, - cattle-prometheus, - cattle-sriov-system, - cattle-system, - cattle-ui-plugin-system, - cattle-windows-gmsa-system, - cert-manager, - cis-operator-system, - fleet-default, - ingress-nginx, - istio-system, - kube-node-lease, - kube-public, - kube-system, - longhorn-system, - rancher-alerting-drivers, - security-scan, - tigera-operator ] + namespaces: [calico-apiserver, + calico-system, + cattle-alerting, + cattle-csp-adapter-system, + cattle-elemental-system, + cattle-epinio-system, + cattle-externalip-system, + cattle-fleet-local-system, + cattle-fleet-system, + cattle-gatekeeper-system, + cattle-global-data, + cattle-global-nt, + cattle-impersonation-system, + cattle-istio, + cattle-istio-system, + cattle-logging, + cattle-logging-system, + cattle-monitoring-system, + cattle-neuvector-system, + cattle-prometheus, + cattle-provisioning-capi-system, + cattle-resources-system, + cattle-sriov-system, + cattle-system, + cattle-ui-plugin-system, + cattle-windows-gmsa-system, + cert-manager, + cis-operator-system, + fleet-default, + ingress-nginx, + istio-system, + kube-node-lease, + kube-public, + kube-system, + longhorn-system, + rancher-alerting-drivers, + security-scan, + tigera-operator] kube-controller: extra_args: feature-gates: RotateKubeletServerCertificate=true diff --git a/versioned_docs/version-2.7/reference-guides/rancher-security/psa-restricted-exemptions.md b/versioned_docs/version-2.7/reference-guides/rancher-security/psa-restricted-exemptions.md index 0f35551cf31..f9e68addefb 100644 --- a/versioned_docs/version-2.7/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/versioned_docs/version-2.7/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -46,6 +46,7 @@ plugins: cattle-monitoring-system, cattle-neuvector-system, cattle-prometheus, + cattle-provisioning-capi-system, cattle-resources-system, cattle-sriov-system, cattle-system, diff --git a/versioned_sidebars/version-2.7-sidebars.json b/versioned_sidebars/version-2.7-sidebars.json index 2afa9c9297a..f5b54cac025 100644 --- a/versioned_sidebars/version-2.7-sidebars.json +++ b/versioned_sidebars/version-2.7-sidebars.json @@ -37,7 +37,7 @@ "getting-started/quick-start-guides/deploy-rancher-manager/prime", { "type": "category", - "label": "Deploy Rancher Workloads", + "label": "Deploy Workloads", "link": { "type": "doc", "id": "pages-for-subheaders/deploy-rancher-workloads"