Syncing with main

Signed-off-by: Sunil Singh <sunil.singh@suse.com>
2026-05-19 19:35:17 +00:00 · 2024-11-07 12:51:04 -08:00
parent 3b847a904f
commit 1584fa9cfc
75 changed files with 641 additions and 519 deletions
@@ -49,10 +49,6 @@ EOF

 Setting the `field.cattle.io/creatorId` field allows the cluster member account to see project resources with the `get` command and view the project in the Rancher UI. Cluster owner and admin accounts don't need to set this annotation to perform these tasks.

-Setting the  `field.cattle.io/creator-principal-name` annotation to the user's principal preserves it in a projectroletemplatebinding automatically created for the project owner.
-
-If you don't want the creator to be added as the owner member (e.g. if the creator is a cluster administrator) to the project you may set the `field.cattle.io/no-creator-rbac` annotation to `true`, which will prevent the corresponding projectroletemplatebinding from being created.
-
 ### Creating a Project With a Resource Quota

 Refer to [Kubernetes Resource Quota](https://kubernetes.io/docs/concepts/policy/resource-quotas/).
@@ -95,77 +91,6 @@ spec:
    limitsMemory: 100Mi
    requestsCpu:  50m
    requestsMemory: 50Mi
-EOF
-```
-
-## Adding a Member to a Project
-
-Look up the project ID to specify the `metadata.namespace` field and `projectName` field values.
-
-```bash
-kubectl --namespace c-m-abcde get projects
-```
-
-Look up the role template ID to specify the `roleTemplateName` field value (e.g. `project-member` or `project-owner`).
-
-```bash
-kubectl get roletemplates
-```
-
-When adding a user member specify the `userPrincipalName` field:
-
-```bash
-kubectl create -f - <<EOF
-apiVersion: management.cattle.io/v3
-kind: ProjectRoleTemplateBinding
-metadata:
-  generateName: prtb-
-  namespace: p-vwxyz
-projectName: c-m-abcde:p-vwxyz
-roleTemplateName: project-member
-userPrincipalName: keycloak_user://user
-EOF
-```
-
-When adding a group member specify the `groupPrincipalName` field instead:
-
-```bash
-kubectl create -f - <<EOF
-apiVersion: management.cattle.io/v3
-kind: ProjectRoleTemplateBinding
-metadata:
-  generateName: prtb-
-  namespace: p-vwxyz
-projectName: c-m-abcde:p-vwxyz
-roleTemplateName: project-member
-groupPrincipalName: keycloak_group://group
-EOF
-```
-
-Create a projectroletemplatebinding for each role you want to assign to the project member.
-
-## Listing Project Members
-
-Look up the project ID:
-
-```bash
-kubectl --namespace c-m-abcde get projects
-```
-
-to list projectroletemplatebindings in the project's namespace:
-
-```bash
-kubectl --namespace p-vwxyz get projectroletemplatebindings
-```
-
-## Deleting a Member From a Project
-
-Lookup the projectroletemplatebinding IDs containing the member in the project's namespace as decribed in the [Listing Project Members](#listing-project-members) section.
-
-Delete the projectroletemplatebinding from the project's namespace:
-
-```bash
-kubectl --namespace p-vwxyz delete projectroletemplatebindings prtb-qx874 prtb-7zw7s
 ```

 ## Creating a Namespace in a Project
@@ -207,4 +132,4 @@ Delete the project under the cluster namespace:
 kubectl --namespace c-m-abcde delete project p-vwxyz
 ```

-Note that this command doesn't delete the namespaces and resources that formerly belonged to the project.
+Note that this command doesn't delete the namespaces and resources that formerly belonged to the project. 
@@ -23,7 +23,6 @@ The following is a list of feature flags available in Rancher. If you've upgrade
 - `harvester`: Manages access to the Virtualization Management page, where users can navigate directly to Harvester clusters and access the Harvester UI. See [Harvester Integration Overview](../../../integrations-in-rancher/harvester/overview.md) for more information.
 - `istio-virtual-service-ui`: Enables a [visual interface](../../../how-to-guides/advanced-user-guides/enable-experimental-features/istio-traffic-management-features.md) to create, read, update, and delete Istio virtual services and destination rules, which are Istio traffic management features.
 - `legacy`: Enables a set of features from 2.5.x and earlier, that are slowly being phased out in favor of newer implementations. These are a mix of deprecated features as well as features that will eventually be available to newer versions. This flag is disabled by default on new Rancher installations. If you're upgrading from a previous version of Rancher, this flag is enabled.
- `managed-system-upgrade-controller`: Enables the installation of the system-upgrade-controller app in downstream RKE2/K3s clusters, currently limited to imported clusters and the local cluster, with plans to expand support to node-driver clusters.
 - `multi-cluster-management`: Allows multi-cluster provisioning and management of Kubernetes clusters. This flag can only be set at install time. It can't be enabled or disabled later.
 - `rke1-custom-node-cleanup`: Enables cleanup of deleted RKE1 custom nodes. We recommend that you keep this flag enabled, to prevent removed nodes from attempting to rejoin the cluster.
 - `rke2`: Enables provisioning RKE2 clusters. This flag is enabled by default.
@@ -43,9 +42,8 @@ The following table shows the availability and default values for some feature f
 | `fleet`  | `true` | GA | v2.5.0 | |
 | `harvester` | `true` | Experimental | v2.6.1 | |
 | `legacy` | `false` for new installs, `true` for upgrades | GA | v2.6.0 | |
-| `managed-system-upgrade-controller` | `true` | GA | v2.10.0 | |
 | `rke1-custom-node-cleanup`| `true` | GA | v2.6.0 | |
 | `rke2` | `true` | Experimental | v2.6.0 | |
 | `token-hashing` | `false` for new installs, `true` for upgrades | GA | v2.6.0 | |
-| `uiextension` | `true` | GA | v2.9.0 | |
-| `ui-sql-cache` | `false` | Highly experimental | v2.9.0 | |
+| `uiextension` | `true` | GA | v2.9.0 |
+| `ui-sql-cache` | `false` | Highly experimental | v2.9.0 |
@@ -192,7 +192,3 @@ Try configuring and saving keycloak as your SAML provider and then accessing the

  * Check your Keycloak log.
  * If the log displays `request validation failed: org.keycloak.common.VerificationException: SigAlg was null`, set `Client Signature Required` to `OFF` in your Keycloak client.
-
-## Configuring SAML Single Logout (SLO)
-
-<ConfigureSLO />
@@ -107,8 +107,4 @@ The OpenLDAP service account is used for all searches. Rancher users will see us
 1. Click **Okta** or, if SAML is already configured, **Edit Config**
 1. Under **User and Group Search**, check **Configure an OpenLDAP server**

-If you experience issues when you test the connection to the OpenLDAP server, ensure that you entered the credentials for the service account and configured the search base correctly. Inspecting the Rancher logs can help pinpoint the root cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) for more information.
-
-## Configuring SAML Single Logout (SLO)
-
-<ConfigureSLO />
+If you experience issues when you test the connection to the OpenLDAP server, ensure that you entered the credentials for the service account and configured the search base correctly. Inspecting the Rancher logs can help pinpoint the root cause. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) for more information.
@@ -64,7 +64,3 @@ Note that these URLs will not return valid data until the authentication configu
 - The group drop-down shows only the groups that you are a member of. You will not be able to add groups that you are not a member of.

 :::
-
-## Configuring SAML Single Logout (SLO)
-
-<ConfigureSLO />
@@ -51,7 +51,3 @@ You can generate a certificate using an openssl command. For example:
 ```
 openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=myservice.example.com"
 ```
-
-## Configuring SAML Single Logout (SLO)
-
-<ConfigureSLO />
@@ -77,10 +77,6 @@ If you configure Shibboleth without OpenLDAP, the following caveats apply due to

 To enable searching for groups when assigning permissions in Rancher, you will need to configure a back end for the SAML provider that supports groups, such as OpenLDAP.

-### Configuring SAML Single Logout (SLO)
-
-<ConfigureSLO />
-
 ## Setting up OpenLDAP in Rancher

 If you also configure OpenLDAP as the back end to Shibboleth, it will return a SAML assertion to Rancher with user attributes that include groups. Then authenticated users will be able to access resources in Rancher that their groups have permissions for.
@@ -13,7 +13,7 @@ PSS define security levels for workloads. PSAs describe requirements for pod sec

 ## Upgrade to Pod Security Standards (PSS)

-Ensure that you migrate all PSPs to another workload security mechanism. This includes mapping your current PSPs to Pod Security Standards for enforcement with the [PSA controller](https://kubernetes.io/docs/concepts/security/pod-security-admission/). If the PSA controller won't meet all of your organization's needs, we recommend that you use a policy engine, such as [Kubewarden](https://www.kubewarden.io/), [Kyverno](https://kyverno.io/), or [NeuVector](https://neuvector.com/). Refer to the documentation of your policy engine of choice for more information on how to migrate from PSPs.
+Ensure that you migrate all PSPs to another workload security mechanism. This includes mapping your current PSPs to Pod Security Standards for enforcement with the [PSA controller](https://kubernetes.io/docs/concepts/security/pod-security-admission/). If the PSA controller won't meet all of your organization's needs, we recommend that you use a policy engine, such as [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper), [Kubewarden](https://www.kubewarden.io/), [Kyverno](https://kyverno.io/), or [NeuVector](https://neuvector.com/). Refer to the documentation of your policy engine of choice for more information on how to migrate from PSPs.

 :::caution
 You must add your new policy enforcement mechanisms _before_ you remove the PodSecurityPolicy objects. If you don't, you may create an opportunity for privilege escalation attacks within the cluster.
@@ -194,42 +194,6 @@ Non-Airgap Rancher installations upon refresh will reflect any chart repository

 Airgap installations where Rancher is configured to use the packaged copy of Helm system charts ([`useBundledSystemChart=true`](../../../getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install/install-rancher-ha.md#helm-chart-options-for-air-gap-installations)) will only refer to the [system-chart](https://github.com/rancher/system-charts) repository that comes bundled and will not be able to be refreshed or synced.

-#### Refresh Interval
-
-Rancher v2.10.0 adds the `refreshInterval` field to the `ClusterRepo` CRD. The default value is 3600 seconds, meaning that Rancher syncs each Helm repository every 3600 seconds.
-
-To modify the refresh interval of a chart repository:
-
-1. Click **☰ > Cluster Management**.
-1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row.
-1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**.
-1. Find the repository you want to modify, and click **⋮ > Edit YAML**.
-1. Set the **refreshInterval** field under **Spec** to the desired value in seconds.
-1. Click **Save**.
-
-### Enable/Disable Helm Chart Repositories
-
-Rancher v2.10.0 adds the ability to enable and disable Helm repositories. Helm repositories are enabled by default.
-
-To disable a chart repository:
-
-1. Click **☰ > Cluster Management**.
-1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row.
-1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**.
-1. Find the repository you want to disable, and click **⋮ > Edit YAML**.
-1. Set the **Enabled** field under **Spec** to **false**.
-1. Click **Save**.
-1. When you disable a repository, updates are disabled and new changes to the clusterRepo are not applied.
-
-To enable a chart repository:
-
-1. Click **☰ > Cluster Management**.
-1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row.
-1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Repositories**.
-1. Find the repository you want to disable, and click **⋮ > Edit YAML**.
-1. Set the **Enabled** field under **Spec** to **true**.
-1. Click **Save**.
-
 ## Deploy and Upgrade Charts

 To install and deploy a chart:
@@ -237,7 +201,7 @@ To install and deploy a chart:
 1. Click **☰ > Cluster Management**.
 1. Find the name of the cluster whose repositories you want to access. Click **Explore** at the end of the cluster's row.
 1. In the left navigation menu on the **Cluster Dashboard**, click **Apps > Charts**.
-1. Select a chart, and click **Install**.
+1. Select a chart, and click **Install**. 

 Rancher and Partner charts may have extra configurations available through custom pages or questions.yaml files. However, all chart installations can modify the values.yaml and other basic settings. After you click **Install**, a Helm operation job is deployed, and the console for the job is displayed.

@@ -31,5 +31,6 @@ Rancher contains a variety of tools that aren't included in Kubernetes to assist
 - Logging
 - Monitoring
 - Istio Service Mesh
+- OPA Gatekeeper

 Tools can be installed through **Apps.**
@@ -0,0 +1,117 @@
+---
+title: OPA Gatekeeper
+---
+
+<head>
+  <link rel="canonical" href="https://ranchermanager.docs.rancher.com/integrations-in-rancher/opa-gatekeeper"/>
+</head>
+
+<DeprecationOPAGatekeeper link="kubewarden" />
+
+To ensure consistency and compliance, every organization needs the ability to define and enforce policies in its environment in an automated way. [OPA (Open Policy Agent)](https://www.openpolicyagent.org/) is a policy engine that facilitates policy-based control for cloud native environments. Rancher provides the ability to enable OPA Gatekeeper in Kubernetes clusters, and also installs a couple of built-in policy definitions, which are also called constraint templates.
+
+OPA provides a high-level declarative language that lets you specify policy as code and ability to extend simple APIs to offload policy decision-making.
+
+[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is a project that provides integration between OPA and Kubernetes. OPA Gatekeeper provides:
+
+- An extensible, parameterized policy library.
+- Native Kubernetes CRDs for instantiating the policy library, also called “constraints."
+- Native Kubernetes CRDs for extending the policy library, also called "constraint templates."
+- Audit functionality.
+
+To read more about OPA, please refer to the [official documentation.](https://www.openpolicyagent.org/docs/latest/)
+
+## How the OPA Gatekeeper Integration Works
+
+Kubernetes provides the ability to extend API server functionality via admission controller webhooks, which are invoked whenever a resource is created, updated or deleted. Gatekeeper is installed as a validating webhook and enforces policies defined by Kubernetes custom resource definitions. In addition to the admission control usage, Gatekeeper provides the capability to audit existing resources in Kubernetes clusters and mark current violations of enabled policies.
+
+OPA Gatekeeper is made available via Rancher's Helm system chart, and it is installed in a namespace named `gatekeeper-system.`
+
+## Enabling OPA Gatekeeper in a Cluster
+
+:::note
+
+In Rancher v2.5, the OPA Gatekeeper application was improved. The Rancher v2.4 feature can't be upgraded to the new version in Rancher v2.5. If you installed OPA Gatekeeper in Rancher v2.4, you will need to uninstall OPA Gatekeeper and its CRDs from the old UI, then reinstall it in Rancher v2.5. To uninstall the CRDs run the following command in the kubectl console `kubectl delete crd configs.config.gatekeeper.sh constrainttemplates.templates.gatekeeper.sh`.
+
+:::
+
+:::note Prerequisite:
+
+Only administrators and cluster owners can enable OPA Gatekeeper.
+
+:::
+
+The OPA Gatekeeper Helm chart can be installed from **Apps**.
+
+### Enabling OPA Gatekeeper
+
+1. In the upper left corner, click **☰ > Cluster Management**.
+1. In the **Clusters** page, go to the cluster where you want to enable OPA Gatekeeper and click **Explore**.
+1. In the left navigation bar, click **Apps**.
+1. Click **Charts** and click **OPA Gatekeeper**.
+1. Click **Install**.
+
+**Result:** OPA Gatekeeper is deployed in your Kubernetes cluster.
+
+## Constraint Templates
+
+[Constraint templates](https://github.com/open-policy-agent/gatekeeper#constraint-templates) are Kubernetes custom resources that define the schema and Rego logic of the OPA policy to be applied by Gatekeeper. For more information on the Rego policy language, refer to the [official documentation.](https://www.openpolicyagent.org/docs/latest/policy-language/)
+
+When OPA Gatekeeper is enabled, Rancher installs some templates by default.
+
+To list the constraint templates installed in the cluster, go to the left side menu under OPA Gatekeeper and click on **Templates**.
+
+Rancher also provides the ability to create your own constraint templates by importing YAML definitions.
+
+## Creating and Configuring Constraints
+
+[Constraints](https://github.com/open-policy-agent/gatekeeper#constraints) are Kubernetes custom resources that define the scope of objects to which a specific constraint template applies to. The complete policy is defined by constraint templates and constraints together.
+
+:::note Prerequisite:
+
+OPA Gatekeeper must be enabled in the cluster.
+
+:::
+
+To list the constraints installed, go to the left side menu under OPA Gatekeeper, and click on **Constraints**.
+
+New constraints can be created from a constraint template.
+
+Rancher provides the ability to create a constraint by using a convenient form that lets you input the various constraint fields.
+
+The **Edit as yaml** option is also available to configure the the constraint's yaml definition.
+
+### Exempting Rancher's System Namespaces from Constraints
+
+When a constraint is created, ensure that it does not apply to any Rancher or Kubernetes system namespaces. If the system namespaces are not excluded, then it is possible to see many resources under them marked as violations of the constraint.
+
+To limit the scope of the constraint only to user namespaces, always specify these namespaces under the **Match** field of the constraint.
+
+Also, the constraint may interfere with other Rancher functionality and deny system workloads from being deployed. To avoid this, exclude all Rancher-specific namespaces from your constraints.
+
+## Enforcing Constraints in your Cluster
+
+When the **Enforcement Action** is **Deny,** the constraint is immediately enabled and will deny any requests that violate the policy defined. By default, the enforcement value is **Deny**.
+
+When the **Enforcement Action** is **Dryrun,** then any resources that violate the policy are only recorded under the constraint's status field.
+
+To enforce constraints, create a constraint using the form. In the **Enforcement Action** field, choose **Deny**.
+
+## Audit and Violations in your Cluster
+
+OPA Gatekeeper runs a periodic audit to check if any existing resource violates any enforced constraint. The audit-interval (default 300s) can be configured while installing Gatekeeper.
+
+On the Gatekeeper page, any violations of the defined constraints are listed.
+
+Also under **Constraints,** the number of violations of the constraint can be found.
+
+The detail view of each constraint lists information about the resource that violated the constraint.
+
+## Disabling Gatekeeper
+
+1. Navigate to the cluster's Dashboard view
+1. On the left side menu, expand the cluster menu and click on **OPA Gatekeeper**.
+1. Click the **⋮ > Disable**.
+
+**Result:** Upon disabling OPA Gatekeeper, all constraint templates and constraints will also be deleted.
+
@@ -0,0 +1,19 @@
+---
+title: Best Practices for Disconnected Clusters
+---
+
+<head>
+  <link rel="canonical" href="https://ranchermanager.docs.rancher.com/reference-guides/best-practices/disconnected-clusters"/>
+</head>
+
+Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. At the moment there are no known issues with disconnected clusters in the latest released Rancher version.
+
+While a managed cluster is disconnected from Rancher, management operations will be unavailable, and the Rancher UI will not allow navigation to the cluster. However, once the connection is reestablished, functionality is fully restored.
+
+### Best Practices for Managing Disconnected Clusters
+
+- **Cluster Availability During Rancher Upgrades**: It is recommended to have all, or at least most, managed clusters online during a Rancher upgrade. The reason is that upgrading Rancher automatically upgrades the Rancher agent software running on managed clusters. Keeping the agent and Rancher versions aligned ensures consistent functionality. Any clusters that are disconnected during the upgrade will have their agents updated as soon as they reconnect.
+
+- **Cleaning Up Disconnected Clusters**: Regularly remove clusters that will no longer reconnect to Rancher (e.g., clusters that have been decommissioned or destroyed). Keeping such clusters in the Rancher management system consumes unnecessary resources, which could impact Rancher's performance over time.
+
+- **Certificate Rotation Considerations**: When designing processes that involve regularly shutting down clusters, whether connected to Rancher or not, take into account certificate rotation policies. For example, RKE/RKE2/K3s clusters may rotate certificates on startup if they exceeded their lifetime.
@@ -14,6 +14,10 @@ Refer to [this guide](logging-best-practices.md) for our recommendations for clu

 Configuring sensible monitoring and alerting rules is vital for running any production workloads securely and reliably. Refer to this [guide](monitoring-best-practices.md) for our recommendations.

+### Disconnected clusters
+
+Rancher supports managing clusters that may not always be online due to network disruptions, control plane availability, or because all cluster nodes are down. Refer to this [guide](disconnected-clusters.md) for our recommendations.
+
 ### Tips for Setting Up Containers

 Running well-built containers can greatly impact the overall performance and security of your environment. Refer to this [guide](tips-to-set-up-containers.md) for tips.
@@ -42,6 +42,12 @@ Rancher's integration with Istio was improved in Rancher v2.5.

 For more information, refer to the Istio documentation [here.](../integrations-in-rancher/istio/istio.md)

+## OPA Gatekeeper
+
+<DeprecationOPAGatekeeper link="../integrations-in-rancher/kubewarden" />
+
+[OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is an open-source project that provides integration between OPA and Kubernetes to provide policy control via admission controller webhooks. For details on how to enable Gatekeeper in Rancher, refer to the [OPA Gatekeeper section.](../integrations-in-rancher/opa-gatekeeper.md)
+
 ## CIS Scans

 Rancher can run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark.