From 24fc5a657c6590b6fe1bdcc4b003d3b2cc7ac42d Mon Sep 17 00:00:00 2001 From: Billy Tat Date: Tue, 25 Nov 2025 10:51:39 -0800 Subject: [PATCH] Merge release v2.13.0 to main (#2091) * Sync main to v2.13.0 (#2065) * It's bad form to ask users to pass something they just curled from the internet directly to sh Updated the instructions for uninstalling the rancher-system-agent to use a temporary script file instead of piping directly to sh. * doc(rancher-security): improve structure and content to latest, v2.13-preview and v2.12 (#2024) - add Rancher Kubernetes Distributions (K3s/RKE2) Self-Assessment and Hardening Guide section - add kubernetes cluster security best practices link to rancher-security section - add k3s-selinux and update selinux-rpm details - remove rhel/centos 7 support Signed-off-by: Andy Pitcher * Updating across supported versions and translations. Signed-off-by: Sunil Singh --------- Signed-off-by: Andy Pitcher Signed-off-by: Sunil Singh Co-authored-by: Tejeev Co-authored-by: Andy Pitcher Co-authored-by: Sunil Singh * Update roletemplate aggregation doc and version information * Add versioned docs * Remove ext token and kubeconfig feature flag sections and document bearer Token * Update corresponding v2.13 pages * update doc for pni in gke * Adding reverted session idle information from PR 1653 Signed-off-by: Sunil Singh * [2.13.0] Add versions table entry * [2.13.0] Add webhook version * [2.13.0] Add CSP Adapter version * [2.13.0] Add deprecated feature table entry * [2.13.0] Update CNI popularity stats * Update GKE Cluster Configuration for Project Network Isolation instructions * Fix link and port to 2.13 * [2.13.0] Add Swagger JSON * [v2.13.0] Add info about Azure AD Roles claims (#2079) * Add info about Azure AD roles claims compatibility * Apply suggestions from code review Co-authored-by: Sunil Singh * Add suggestions to v2.13 --------- Co-authored-by: Sunil Singh * [2.13.0] Remove preview designation * user public api docs (#2069) * user public api docs * Apply suggestions from code review Co-authored-by: Andreas Kupries * Apply suggestions from code review Co-authored-by: Peter Matseykanets * explain plaintext is never stored * add users 2.13 versioned docs * remove extra ``` * Apply suggestions from code review Co-authored-by: Lucas Saintarbor * add space before code block --------- Co-authored-by: Andreas Kupries Co-authored-by: Peter Matseykanets Co-authored-by: Lucas Saintarbor * support IPv6 (#2041) * [v2.13.0] Add Configure GitHub App page (#2081) * Add Configure GitHub App page * Apply suggestions from code review Co-authored-by: Billy Tat * Fix header/GH URL & add suggestions to v2.13 * Apply suggestions from code review Co-authored-by: Petr Kovar * Apply suggestions from code review to v2.13 * Add note describing why to use Installation ID * Apply suggestions from code review Co-authored-by: Billy Tat --------- Co-authored-by: Billy Tat Co-authored-by: Petr Kovar * [v2.13.0] Add info about Generic OIDC Custom Mapping (#2080) * Add info about Generic OIDC Custom Mapping * Apply suggestions from code review Co-authored-by: Sunil Singh Co-authored-by: Billy Tat * Apply suggestions from code review Co-authored-by: Sunil Singh Co-authored-by: Billy Tat * Add suggestions to v2.13 * Remove repetitive statement in intro * Move Prereq intro/note to appropriate section * Fix formatting, UI typo, add Custom Claims section under Configuration Reference section * Add section about how a custom groups claim works / note about search limitations for groups in RBAC --------- Co-authored-by: Sunil Singh Co-authored-by: Billy Tat * [v2.13.0] Add info about OIDC SLO support (#2086) * Add shared file covering OIDC SLO support to OIDC auth pages * Ad How to get the End Session Endpoint steps * Add generic curl exampleto retrieve end_session_endpoint * [2.13.0] Bump release date --------- Signed-off-by: Andy Pitcher Signed-off-by: Sunil Singh Co-authored-by: Lucas Saintarbor Co-authored-by: Tejeev Co-authored-by: Andy Pitcher Co-authored-by: Sunil Singh Co-authored-by: Jonathan Crowther Co-authored-by: Peter Matseykanets Co-authored-by: Petr Kovar Co-authored-by: Krunal Hingu Co-authored-by: Raul Cabello Martin Co-authored-by: Andreas Kupries Co-authored-by: Peter Matseykanets Co-authored-by: Jack Luo Co-authored-by: Petr Kovar --- docs/api/api-reference.mdx | 2 +- docs/api/api-tokens.md | 18 +- docs/api/workflows/kubeconfigs.md | 8 - docs/api/workflows/tokens.md | 10 +- docs/api/workflows/users.md | 187 + docs/faq/deprecated-features.md | 5 +- .../installation-references/feature-flags.md | 4 +- .../installation-references.md | 2 +- .../installation-requirements.md | 8 +- .../port-requirements.md | 30 +- .../cluster-role-aggregation.md | 19 - .../role-template-aggregation.md | 21 + .../configure-amazon-cognito.md | 4 + .../configure-azure-ad.md | 19 + .../configure-generic-oidc.md | 120 +- .../configure-github-app.md | 84 + .../configure-keycloak-oidc.md | 4 + ...quirements-for-rancher-managed-clusters.md | 12 + .../set-up-cloud-providers/amazon.md | 2 +- .../use-windows-clusters.md | 63 +- .../create-an-amazon-ec2-cluster.md | 3 +- .../aws-cloud-marketplace/install-adapter.md | 5 +- .../machine-configuration/amazon-ec2.md | 15 + .../machine-configuration/digitalocean.md | 2 + .../machine-configuration/google-gce.md | 2 +- .../machine-configuration.md | 2 +- .../node-template-configuration.md | 2 + .../gke-cluster-configuration.md | 10 +- .../k3s-cluster-configuration.md | 84 +- .../rke2-cluster-configuration.md | 104 +- .../rancher-agent-options.md | 57 - .../use-existing-nodes/use-existing-nodes.md | 56 +- docs/reference-guides/dual-stack.md | 122 + docs/reference-guides/rancher-webhook.md | 5 +- docusaurus.config.js | 15 +- .../current/api/api-reference.mdx | 2 +- .../current/api/api-tokens.md | 6 + .../current/faq/deprecated-features.md | 5 +- .../aws-cloud-marketplace/install-adapter.md | 7 +- .../reference-guides/rancher-webhook.md | 5 +- .../version-2.13/api/api-reference.mdx | 2 +- .../version-2.13/api/api-tokens.md | 6 + .../version-2.13/faq/deprecated-features.md | 5 +- .../aws-cloud-marketplace/install-adapter.md | 7 +- .../reference-guides/rancher-webhook.md | 5 +- openapi/swagger-v2.13.json | 9569 +++++++++++++++++ shared-files/_cni-popularity.md | 8 +- shared-files/_configure-slo-oidc.md | 39 + shared-files/_glossary.md | 8 +- sidebars.js | 12 +- src/pages/versions.md | 21 + src/theme/MDXComponents.js | 2 + .../version-2.13/api/api-reference.mdx | 2 +- versioned_docs/version-2.13/api/api-tokens.md | 18 +- .../version-2.13/api/workflows/kubeconfigs.md | 8 - .../version-2.13/api/workflows/tokens.md | 10 +- .../version-2.13/api/workflows/users.md | 186 + .../version-2.13/faq/deprecated-features.md | 5 +- .../installation-references/feature-flags.md | 4 +- .../installation-references.md | 2 +- .../installation-requirements.md | 8 +- .../port-requirements.md | 30 +- .../cluster-role-aggregation.md | 19 - .../role-template-aggregation.md | 21 + .../configure-amazon-cognito.md | 4 + .../configure-azure-ad.md | 19 + .../configure-generic-oidc.md | 120 +- .../configure-github-app.md | 84 + .../configure-keycloak-oidc.md | 4 + ...quirements-for-rancher-managed-clusters.md | 12 + .../set-up-cloud-providers/amazon.md | 2 +- .../use-windows-clusters.md | 63 +- .../create-an-amazon-ec2-cluster.md | 3 +- .../aws-cloud-marketplace/install-adapter.md | 5 +- .../machine-configuration/amazon-ec2.md | 15 + .../machine-configuration/digitalocean.md | 2 + .../machine-configuration/google-gce.md | 2 +- .../machine-configuration.md | 2 +- .../node-template-configuration.md | 2 + .../gke-cluster-configuration.md | 10 +- .../k3s-cluster-configuration.md | 84 +- .../rke2-cluster-configuration.md | 104 +- .../rancher-agent-options.md | 57 - .../use-existing-nodes/use-existing-nodes.md | 56 +- .../reference-guides/dual-stack.md | 122 + .../reference-guides/rancher-webhook.md | 5 +- versioned_sidebars/version-2.13-sidebars.json | 11 +- 87 files changed, 11352 insertions(+), 564 deletions(-) create mode 100644 docs/api/workflows/users.md delete mode 100644 docs/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md create mode 100644 docs/how-to-guides/advanced-user-guides/enable-experimental-features/role-template-aggregation.md create mode 100644 docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-github-app.md delete mode 100644 docs/reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md create mode 100644 docs/reference-guides/dual-stack.md create mode 100644 openapi/swagger-v2.13.json create mode 100644 shared-files/_configure-slo-oidc.md create mode 100644 versioned_docs/version-2.13/api/workflows/users.md delete mode 100644 versioned_docs/version-2.13/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md create mode 100644 versioned_docs/version-2.13/how-to-guides/advanced-user-guides/enable-experimental-features/role-template-aggregation.md create mode 100644 versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-github-app.md delete mode 100644 versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md create mode 100644 versioned_docs/version-2.13/reference-guides/dual-stack.md diff --git a/docs/api/api-reference.mdx b/docs/api/api-reference.mdx index ca78ba81cc8..caada3bcaf5 100644 --- a/docs/api/api-reference.mdx +++ b/docs/api/api-reference.mdx @@ -15,4 +15,4 @@ At this time, not all Rancher resources are available through the Rancher Kubern import ApiDocMdx from '@theme/ApiDocMdx'; - + diff --git a/docs/api/api-tokens.md b/docs/api/api-tokens.md index cecfd9af3cc..fb1b9d0db1e 100644 --- a/docs/api/api-tokens.md +++ b/docs/api/api-tokens.md @@ -60,17 +60,23 @@ This feature affects all tokens which include, but are not limited to, the follo These global settings affect Rancher token behavior. -| Setting | Description | -| ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| [`auth-user-session-ttl-minutes`](#auth-user-session-ttl-minutes) | TTL in minutes on a user auth session token. | -| [`kubeconfig-default-token-ttl-minutes`](#kubeconfig-default-token-ttl-minutes) | Default TTL applied to all kubeconfig tokens except for tokens [generated by Rancher CLI](#disable-tokens-in-generated-kubeconfigs). | -| [`auth-token-max-ttl-minutes`](#auth-token-max-ttl-minutes) | Max TTL for all tokens except those controlled by [`auth-user-session-ttl-minutes`](#auth-user-session-ttl-minutes). | -| [`kubeconfig-generate-token`](#kubeconfig-generate-token) | If true, automatically generate tokens when a user downloads a kubeconfig. | +| Setting | Description | +| ------- | ----------- | +| [`auth-user-session-ttl-minutes`](#auth-user-session-ttl-minutes) | TTL in minutes on a user auth session token. | +| [`auth-user-session-idle-ttl-minutes`](#auth-user-session-idle-ttl-minutes) | TTL in minutes on a user auth session token, without user activity. | +| [`kubeconfig-default-token-ttl-minutes`](#kubeconfig-default-token-ttl-minutes) | Default TTL applied to all kubeconfig tokens except for tokens [generated by Rancher CLI](#disable-tokens-in-generated-kubeconfigs). | +| [`auth-token-max-ttl-minutes`](#auth-token-max-ttl-minutes) | Max TTL for all tokens except those controlled by [`auth-user-session-ttl-minutes`](#auth-user-session-ttl-minutes). | +| [`kubeconfig-generate-token`](#kubeconfig-generate-token) | If true, automatically generate tokens when a user downloads a kubeconfig. | ### auth-user-session-ttl-minutes Time to live (TTL) duration in minutes, used to determine when a user auth session token expires. When expired, the user must log in and obtain a new token. This setting is not affected by [`auth-token-max-ttl-minutes`](#auth-token-max-ttl-minutes). Session tokens are created when a user logs into Rancher. +### auth-user-session-idle-ttl-minutes + +Time to live (TTL) without user activity for login sessions tokens, in minutes. +By default, [`auth-user-session-idle-ttl-minutes`](#auth-user-session-idle-ttl-minutes) is set to the same value as [`auth-user-session-ttl-minutes`](#auth-user-session-ttl-minutes) (for backward compatibility). It must never exceed the value of `auth-user-session-ttl-minutes`. + ### kubeconfig-default-token-ttl-minutes Time to live (TTL) duration in minutes, used to determine when a kubeconfig token expires. When the token is expired, the API rejects the token. This setting can't be larger than [`auth-token-max-ttl-minutes`](#auth-token-max-ttl-minutes). This setting applies to tokens generated in a requested kubeconfig file, except for tokens [generated by Rancher CLI](#disable-tokens-in-generated-kubeconfigs). As of Rancher v2.8, the default duration is `43200`, which means that tokens expire in 30 days. diff --git a/docs/api/workflows/kubeconfigs.md b/docs/api/workflows/kubeconfigs.md index a6e156f3272..6ef8e2e9817 100644 --- a/docs/api/workflows/kubeconfigs.md +++ b/docs/api/workflows/kubeconfigs.md @@ -20,14 +20,6 @@ To get a description of the fields and structure of the Kubeconfig resource, run kubectl explain kubeconfigs.ext.cattle.io ``` -## Feature Flag - -The Kubeconfigs Public API is available since Rancher v2.12.0 and is enabled by default. It can be disabled by setting the `ext-kubeconfigs` feature flag to `false`. - -```sh -kubectl patch feature ext-kubeconfigs -p '{"spec":{"value":false}}' -``` - ## Creating a Kubeconfig Only a **valid and active** Rancher user can create a Kubeconfig. For example, trying to create a Kubeconfig using a `system:admin` service account will lead to an error: diff --git a/docs/api/workflows/tokens.md b/docs/api/workflows/tokens.md index 999340c1613..87c11bdb3f3 100644 --- a/docs/api/workflows/tokens.md +++ b/docs/api/workflows/tokens.md @@ -20,20 +20,14 @@ To get a description of the fields and structure of the Token resource, run: kubectl explain tokens.ext.cattle.io ``` -## Feature Flag - -The Tokens Public API is available for Rancher v2.12.0 and later, and is enabled by default. You can disable the Tokens Public API by setting the `ext-tokens` feature flag to `false` as shown in the example `kubectl` command below: - -```sh -kubectl patch feature ext-tokens -p '{"spec":{"value":false}}' -``` - ## Creating a Token :::caution The Token value is only returned once in the `status.value` field. ::: +Since Rancher v2.13.0 the `status.bearerToken` now contains a fully formed and ready-to-use Bearer token that can be used to authenticate to [Rancher API](../v3-rancher-api-guide.md). + Only a **valid and active** Rancher user can create a Token. Otherwise, you will get an error displayed (`Error from server (Forbidden)...`) when attempting to create a Token. ```bash diff --git a/docs/api/workflows/users.md b/docs/api/workflows/users.md new file mode 100644 index 00000000000..dd2c072330e --- /dev/null +++ b/docs/api/workflows/users.md @@ -0,0 +1,187 @@ +--- +title: Users +--- + +## User Resource + +The `User` resource (users.management.cattle.io) represents a user account in Rancher. + +To get a description of the fields and structure of the `User` resource, run: + +```sh +kubectl explain users.management.cattle.io +``` + +## Creating a User + +Creating a local user is a two-step process: you must create the `User` resource, then provide a password via a Kubernetes `Secret`. + +Only a user with sufficient permissions can create a `User` resource. + +```bash +kubectl create -f -< -Please see the following reference guides for other installation resources: [Rancher Helm chart options](helm-chart-options.md), [TLS settings](tls-settings.md), and [feature flags](feature-flags.md). \ No newline at end of file +Please see the following reference guides for other installation resources: [Rancher Helm chart options](helm-chart-options.md), [TLS settings](tls-settings.md), and [feature flags](feature-flags.md). diff --git a/docs/getting-started/installation-and-upgrade/installation-requirements/installation-requirements.md b/docs/getting-started/installation-and-upgrade/installation-requirements/installation-requirements.md index 244f0cf39c1..c5f7181fca5 100644 --- a/docs/getting-started/installation-and-upgrade/installation-requirements/installation-requirements.md +++ b/docs/getting-started/installation-and-upgrade/installation-requirements/installation-requirements.md @@ -25,10 +25,16 @@ Rancher needs to be installed on a supported Kubernetes version. Consult the [Ra Regardless of version and distribution, the Kubernetes cluster must have the aggregation API layer properly configured to support the [extension API](../../../api/extension-apiserver.md) used by Rancher. -### Install Rancher on a Hardened Kubernetes cluster +### Install Rancher on a Hardened Kubernetes Cluster If you install Rancher on a hardened Kubernetes cluster, check the [Exempting Required Rancher Namespaces](../../../how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md#exempting-required-rancher-namespaces) section for detailed requirements. +### Install Rancher on an IPv6-only or Dual-stack Kubernetes Cluster + +You can deploy Rancher on an IPv6-only or dual-stack Kubernetes cluster. + +For details on Rancher’s IPv6-only and dual-stack support, see the [IPv4/IPv6 Dual-stack](../../../reference-guides/dual-stack.md) page. + ## Operating Systems and Container Runtime Requirements All supported operating systems are 64-bit x86. Rancher should work with any modern Linux distribution. diff --git a/docs/getting-started/installation-and-upgrade/installation-requirements/port-requirements.md b/docs/getting-started/installation-and-upgrade/installation-requirements/port-requirements.md index 8f291a22390..46ca5ec7d49 100644 --- a/docs/getting-started/installation-and-upgrade/installation-requirements/port-requirements.md +++ b/docs/getting-started/installation-and-upgrade/installation-requirements/port-requirements.md @@ -238,21 +238,23 @@ In these cases, you have to explicitly allow this traffic in your host firewall, When using the [AWS EC2 node driver](../../../how-to-guides/new-user-guides/launch-kubernetes-with-rancher/use-new-nodes-in-an-infra-provider/create-an-amazon-ec2-cluster.md) to provision cluster nodes in Rancher, you can choose to let Rancher create a security group called `rancher-nodes`. The following rules are automatically added to this security group. -| Type | Protocol | Port Range | Source/Destination | Rule Type | +| Type | Protocol | Port Range | Source/Destination | Rule Type | |-----------------|:--------:|:-----------:|------------------------|:---------:| -| SSH | TCP | 22 | 0.0.0.0/0 | Inbound | -| HTTP | TCP | 80 | 0.0.0.0/0 | Inbound | -| Custom TCP Rule | TCP | 443 | 0.0.0.0/0 | Inbound | -| Custom TCP Rule | TCP | 2376 | 0.0.0.0/0 | Inbound | -| Custom TCP Rule | TCP | 2379-2380 | sg-xxx (rancher-nodes) | Inbound | -| Custom UDP Rule | UDP | 4789 | sg-xxx (rancher-nodes) | Inbound | -| Custom TCP Rule | TCP | 6443 | 0.0.0.0/0 | Inbound | -| Custom UDP Rule | UDP | 8472 | sg-xxx (rancher-nodes) | Inbound | -| Custom TCP Rule | TCP | 10250-10252 | sg-xxx (rancher-nodes) | Inbound | -| Custom TCP Rule | TCP | 10256 | sg-xxx (rancher-nodes) | Inbound | -| Custom TCP Rule | TCP | 30000-32767 | 0.0.0.0/0 | Inbound | -| Custom UDP Rule | UDP | 30000-32767 | 0.0.0.0/0 | Inbound | -| All traffic | All | All | 0.0.0.0/0 | Outbound | +| SSH | TCP | 22 | 0.0.0.0/0 and ::/0 | Inbound | +| HTTP | TCP | 80 | 0.0.0.0/0 and ::/0 | Inbound | +| Custom TCP Rule | TCP | 443 | 0.0.0.0/0 and ::/0 | Inbound | +| Custom TCP Rule | TCP | 2376 | 0.0.0.0/0 and ::/0 | Inbound | +| Custom TCP Rule | TCP | 6443 | 0.0.0.0/0 and ::/0 | Inbound | +| Custom TCP Rule | TCP | 179 | sg-xxx (rancher-nodes) | Inbound | +| Custom TCP Rule | TCP | 9345 | sg-xxx (rancher-nodes) | Inbound | +| Custom TCP Rule | TCP | 2379-2380 | sg-xxx (rancher-nodes) | Inbound | +| Custom TCP Rule | TCP | 10250-10252 | sg-xxx (rancher-nodes) | Inbound | +| Custom TCP Rule | TCP | 10256 | sg-xxx (rancher-nodes) | Inbound | +| Custom UDP Rule | UDP | 4789 | sg-xxx (rancher-nodes) | Inbound | +| Custom UDP Rule | UDP | 8472 | sg-xxx (rancher-nodes) | Inbound | +| Custom TCP Rule | TCP | 30000-32767 | 0.0.0.0/0 and ::/0 | Inbound | +| Custom UDP Rule | UDP | 30000-32767 | 0.0.0.0/0 and ::/0 | Inbound | +| All traffic | All | All | 0.0.0.0/0 and ::/0 | Outbound | ### Opening SUSE Linux Ports diff --git a/docs/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md b/docs/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md deleted file mode 100644 index 9747c6db81e..00000000000 --- a/docs/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: ClusterRole Aggregation ---- - - - - - -:::caution -ClusterRole aggregation is a highly experimental feature that changes the RBAC architecture used for RoleTemplates, ClusterRoleTemplateBindings and ProjectRoleTemplateBindings. **It is not supported for production environments**. This feature is meant exclusively for internal testing in v2.11 and v2.12. It is expected to be available as a beta for users in v2.13. -::: - -ClusterRole aggregation implements RoleTemplates, ClusterRoleTemplateBindings and ProjectRoleTemplateBindings using the Kubernetes feature [Aggregated ClusterRoles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles). The new architecture results in a net reduction in RBAC objects (Roles, RoleBindings, ClusterRoles and ClusterRoleBindings) both in the Rancher cluster and the downstream clusters. - -| Environment Variable Key | Default Value | Description | -| --- | --- | --- | -| `aggregated-roletemplates` | `false` | [Experimental] Make RoleTemplates use aggregation for generated RBAC roles. | - -The value of this feature flag is locked on installation, which shows up in the UI as a lock symbol beside the feature flag. That means the feature can only be set on the first ever installation of Rancher. After that, attempting to modify the value will be denied. diff --git a/docs/how-to-guides/advanced-user-guides/enable-experimental-features/role-template-aggregation.md b/docs/how-to-guides/advanced-user-guides/enable-experimental-features/role-template-aggregation.md new file mode 100644 index 00000000000..d5ec106cb2a --- /dev/null +++ b/docs/how-to-guides/advanced-user-guides/enable-experimental-features/role-template-aggregation.md @@ -0,0 +1,21 @@ +--- +title: RoleTemplate Aggregation +--- + + + + + +:::caution +RoleTemplate aggregation is an experimental feature in v2.13 that changes the RBAC architecture used for RoleTemplates, ClusterRoleTemplateBindings and ProjectRoleTemplateBindings. **It is not supported for production environments**. Breaking changes may occur between v2.13 and v2.14. +::: + +RoleTemplate aggregation implements RoleTemplates, ClusterRoleTemplateBindings and ProjectRoleTemplateBindings using the Kubernetes feature [Aggregated ClusterRoles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles). The new architecture results in a net reduction in RBAC objects (Roles, RoleBindings, ClusterRoles and ClusterRoleBindings) both in the Rancher cluster and the downstream clusters. + +For more information on how the feature can improve scalability and performance, please see the [Rancher Blog post](https://www.suse.com/c/rancher_blog/fewer-bindings-more-power-ranchers-rbac-boost-for-enhanced-performance-and-scalability/). + +| Environment Variable Key | Default Value | Description | +| --- | --- | --- | +| `aggregated-roletemplates` | `false` | [Beta] Make RoleTemplates use aggregation for generated RBAC roles. | + +The value of this feature flag is locked on installation, which shows up in the UI as a lock symbol beside the feature flag. That means the feature can only be set on the first ever installation of Rancher. After that, attempting to modify the value will be denied. diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-amazon-cognito.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-amazon-cognito.md index 58a82dfc38d..91ac8b6b51c 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-amazon-cognito.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-amazon-cognito.md @@ -58,3 +58,7 @@ if the user has not yet logged in to Rancher. However, if the user has previousl ### You are not redirected to your authentication provider If you fill out the **Configure an Amazon Cognito account** form and click on **Enable**, and you are not redirected to Amazon Cognito, verify your Amazon Cognito configuration. + +## Configuring OIDC Single Logout (SLO) + + \ No newline at end of file diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-azure-ad.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-azure-ad.md index b17daeabbcd..a7f84745885 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-azure-ad.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-azure-ad.md @@ -363,3 +363,22 @@ Since the filter prevents Rancher from seeing that the user belongs to an exclud >- If you don't wish to upgrade to v2.7.0+ after the Azure AD Graph API is retired, you'll need to either: - Use the built-in Rancher auth or - Use another third-party auth system and set that up in Rancher. Please see the [authentication docs](authentication-config.md) to learn how to configure other open authentication providers. + +## Azure AD Roles Claims + +Rancher supports the Roles claim provided by the Azure AD OIDC provider token, allowing for complete delegation of Role-Based Access Control (RBAC) to Azure AD. Previously, Rancher only processed the `Groups` claim to determine a user's `group` membership. This enhancement extends the logic to also include the Roles claim within the user's OIDC token. + +By including the Roles claim, administrators can: + +- Define specific high-level roles in Azure AD. +- Bind these Azure AD Roles directly to ProjectRoles or ClusterRoles within Rancher. +- Centralize and fully delegate access control decisions to the external OIDC provider. + +For example, consider the following role structure in Azure AD: + +| Azure AD Role Name | Members | +|--------------------|----------------| +| project-alpha-dev | User A, User C | + + +User A logs into Rancher via Azure AD. The OIDC token includes a Roles claim, [`project-alpha-dev`]. The Rancher logic processes the token, and the internal list of `groups`/roles for User A which includes `project-alpha-dev`. An administrator has created a Project Role Binding that maps the Azure AD Role `project-alpha-dev` to the Project Role `Dev Member` for Project Alpha. User A is automatically granted the `Dev Member` role in Project Alpha. diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-generic-oidc.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-generic-oidc.md index e0d2577e5ff..ed3b5ed0b39 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-generic-oidc.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-generic-oidc.md @@ -7,60 +7,69 @@ description: Create an OpenID Connect (OIDC) client and configure Rancher to wor -If your organization uses an OIDC provider for user authentication, you can configure Rancher to allow login using Identity Provider (IdP) credentials. Rancher supports integration with the OpenID Connect (OIDC) protocol and the SAML protocol. Both implementations are functionally equivalent when used with Rancher. The following instructions describe how to configure Rancher to work using the OIDC protocol. +Generic OpenID Connect (OIDC) allows users to sign in to Rancher using their credentials from their existing account at an OIDC Identity Provider (IdP). Rancher supports integration with the OIDC protocol and the SAML protocol. Both implementations are functionally equivalent when used with Rancher. The following instructions describe how to create an OIDC client and configure Rancher to work with your authentication provider. Users can then sign into Rancher using their login from the OIDC IdP. ## Prerequisites -- In Rancher: - - Generic OIDC is disabled. +### Identity Provider + +In Rancher, Generic OIDC is disabled. :::note + Consult the documentation for your specific IdP to complete the listed prerequisites. + ::: -- In your IdP: - - Create a new client with the settings below: +#### OIDC Client + +In your IdP, create a new client with the settings below: + + Setting | Value + ------------|------------ + `Client ID` | (e.g. `rancher`) + `Name` | (e.g. `rancher`) + `Client Protocol` | `openid-connect` + `Access Type` | `confidential` + `Valid Redirect URI` | `https://yourRancherHostURL/verify-auth` + +In the new OIDC client, create mappers to expose the user's fields. + + 1. Create a new `Groups Mapper` with the settings below: Setting | Value ------------|------------ - `Client ID` | (e.g. `rancher`) - `Name` | (e.g. `rancher`) - `Client Protocol` | `openid-connect` - `Access Type` | `confidential` - `Valid Redirect URI` | `https://yourRancherHostURL/verify-auth` + `Name` | `Groups Mapper` + `Mapper Type` | `Group Membership` + `Token Claim Name` | `groups` + `Add to ID token` | `OFF` + `Add to access token` | `OFF` + `Add to user info` | `ON` - - In the new OIDC client, create mappers to expose the users fields. - - Create a new Groups Mapper with the settings below: + 1. Create a new `Client Audience` with the settings below: - Setting | Value - ------------|------------ - `Name` | `Groups Mapper` - `Mapper Type` | `Group Membership` - `Token Claim Name` | `groups` - `Add to ID token` | `OFF` - `Add to access token` | `OFF` - `Add to user info` | `ON` + Setting | Value + ------------|------------ + `Name` | `Client Audience` + `Mapper Type` | `Audience` + `Included Client Audience` | `CLIENT_NAME` + `Add to access token` | `ON` - - Create a new Client Audience with the settings below: + 1. Create a new `Groups Path` with the settings below. - Setting | Value - ------------|------------ - `Name` | `Client Audience` - `Mapper Type` | `Audience` - `Included Client Audience` | - `Add to access token` | `ON` + Setting | Value + ------------|------------ + `Name` | `Group Path` + `Mapper Type` | `Group Membership` + `Token Claim Name` | `full_group_path` + `Full group path` | `ON` + `Add to user info` | `ON` - - Create a new "Groups Path" with the settings below. +:::warning - Setting | Value - ------------|------------ - `Name` | `Group Path` - `Mapper Type` | `Group Membership` - `Token Claim Name` | `full_group_path` - `Full group path` | `ON` - `Add to user info` | `ON` +Rancher uses the value received in the "sub" claim to form the PrincipalID which is the unique identifier in Rancher. It is important to make this a value that is unique and immutable. -- Important: Rancher will use the value received in the "sub" claim to form the PrincipalID which is the unique identifier in Rancher. It is important to make this a value that will be unique and immutable. +::: ## Configuring Generic OIDC in Rancher @@ -80,7 +89,31 @@ Consult the documentation for your specific IdP to complete the listed prerequis **Result:** Rancher is configured to work with your provider using the OIDC protocol. Your users can now sign into Rancher using their IdP logins. -## Configuration Reference +### Custom Claim Mapping + +Custom claim mapping within the Generic OIDC configuration is supported for `name`, `email` and `groups` claims. This allows you to manually map these OIDC claims when your IdP doesn't use standard names in tokens. + +#### How a Custom Groups Claim Works + +A custom groups claim influences how user groups work: + +- If both the standard OIDC `groups` claim and the custom groups claim are present in the user's token, the custom claim supplements the list of groups provided by the standard claim. +- If there is no standard groups claim in the token, the groups listed in the custom claim will form the user's only groups. + +:::note +There is no search functionality available for groups sourced from a custom claim. To assign a role to one of these groups, you must manually enter the group's exact name into the RBAC field. +::: + +#### Configuring Custom Claims + +When on the **Configure an OIDC account** form: + +1. Select **Add custom claims**. +1. Add your custom `name`, `email` or `groups` claims to the appropriate **Custom Claims** field. + +For example, if your IdP sends `groups` in a claim called `custom_roles`, enter `custom_roles` into the **Custom Groups Claim** field. Rancher then supplements the standard OIDC `groups` claim or looks for that specific claim when processing the user's token. + +### Configuration Reference | Field | Description | | ------------------------- |----------------------------------------------------------------------------------------------------------------------------------------------------| @@ -91,6 +124,15 @@ Consult the documentation for your specific IdP to complete the listed prerequis | Rancher URL | The URL for your Rancher Server. | | Issuer | The URL of your IdP. If your provider has discovery enabled, Rancher uses the Issuer URL to fetch all of the required URLs. | | Auth Endpoint | The URL where users are redirected to authenticate. | + +#### Custom Claims + +| Custom Claim Field | Default OIDC Claim | Custom Claim Description | +| ------------- | ------------------ | ------------------------ | +| Custom Name Claim | `name` | The name of the claim in the OIDC token that contains the user's full name or display name. | +| Custom Email Claim | `email` | The name of the claim in the OIDC token that contains the user's email address. | +| Custom Groups Claim | `groups` | The name of the claim in the OIDC token that contains the user's group memberships (used for RBAC). | + ## Troubleshooting If you are experiencing issues while testing the connection to the OIDC server, first double-check the configuration options of your OIDC client. You can also inspect the Rancher logs to help pinpoint what's causing issues. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) in this documentation. @@ -108,3 +150,7 @@ If the `Issuer` and `Auth Endpoint` are generated incorrectly, open the **Config ### Error: "Invalid grant_type" In some cases, the "Invalid grant_type" error message may be misleading and is actually caused by setting the `Valid Redirect URI` incorrectly. + +## Configuring OIDC Single Logout (SLO) + + \ No newline at end of file diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-github-app.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-github-app.md new file mode 100644 index 00000000000..5734108f396 --- /dev/null +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-github-app.md @@ -0,0 +1,84 @@ +--- +title: Configure GitHub App +--- + + + + + +In environments using GitHub, you can configure the new GitHub App authentication provider in Rancher, which allows users to authenticate against a GitHub Organization account using a dedicated [GitHub App](https://docs.github.com/en/apps/overview). This new provider runs alongside the existing standard GitHub authentication provider, offering increased security and better management of permissions based on GitHub Organization teams. + +## Prerequisites + +:::warning + +The GitHub App authentication provider only works with [GitHub Organization accounts](https://docs.github.com/en/get-started/learning-about-github/types-of-github-accounts#organization-accounts). It does not function with individual [GitHub User accounts](https://docs.github.com/en/get-started/learning-about-github/types-of-github-accounts#user-accounts). + +::: + +Before configuring the provider in Rancher, you must first create a GitHub App for your organization, generate a client secret for your GitHub App and generate a private key for your GitHub App. Refer to [Registering a GitHub App](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/registering-a-github-app) for details. + +### Create GitHub App + +1. Open your [GitHub organization settings](https://github.com/settings/organizations). +1. To the right of the organization, select **Settings**. +1. In the left sidebar, click **Developer settings** > **GitHub Apps**. +1. Click **New Github App**. +1. Fill in the GitHub App configuration form with these values: + + - **GitHub App name**: Anything you like, e.g. `My Rancher`. + - **Application description**: Optional, can be left blank. + - **Homepage URL**: `https://localhost:8443`. + - **Callback URL**: `https://localhost:8443/verify-auth`. + +1. Select **Create Github App**. + +### Generate a Client Secret + +Generate a [client secret](https://docs.github.com/en/rest/authentication/authenticating-to-the-rest-api#using-basic-authentication) on the settings page for your app. + +1. Go to your GitHub App. +1. Next to **Client Secrets**, select **Generate a new client secret**. + +### Generate a Private Key + +Generate a [private key](https://docs.github.com/en/enterprise-server/apps/creating-github-apps/authenticating-with-a-github-app/managing-private-keys-for-github-apps#generating-private-keys) on the settings page for your app. + +1. Go to your GitHub App. +1. Next to **Private Keys**, click **Generate a private key**. + +## GitHub App Auth Provider Configuration + +To set up the GitHub App Auth Provider in Rancher, follow these steps: + +1. Navigate to the **Users & Authentication** section in the Rancher UI. +1. Select **Auth Providers**. +1. Select the **GitHub App** tile. +1. Gather and enter the details of your GitHub App into the configuration form fields. + + | Field Name | Description | + | ---------- | ----------- | + | **Client ID** (Required) | The client ID of your GitHub App. | + | **Client Secret** (Required) | The client secret of your GitHub App. | + | **GitHub App ID** (Required) | The numeric ID associated with your GitHub App. | + | **Installation ID** (Optional) | If you want to restrict authentication to a single installation of the App, provide its specific numeric Installation ID. | + | **Private Key** (Required) | The contents of the Private Key file (in PEM format) generated by GitHub for your App. | + + :::note + + A GitHub App can be installed across multiple Organizations, and each installation has a unique Installation ID. If you want to restrict authentication to a single App installation and GitHub Organization, provide the Installation ID during configuration. If you do not provide an Installation ID, the user's permissions are aggregated across all installations. + + ::: + +1. Select **Enable**. Rancher attempts to validate the credentials and, upon success, activates the GitHub App provider. + +After it is enabled, users logging in via the GitHub App provider are automatically identified and you can leverage your GitHub Organization's teams and users to configure Role-Based Access Control (RBAC) and to assign permissions to projects and clusters. + +:::note + +Ensure that the users and teams you intend to use for authorization exist within the GitHub organization managed by the App. + +::: + +- **Users**: Individual GitHub users who are members of the GitHub Organization where the App is installed can log in. +- **Groups**: GitHub Organization teams are mapped to Rancher Groups, allowing you to assign entire teams permissions within Rancher projects and clusters. diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md index da031a96a29..646bf3ee8b6 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md @@ -203,3 +203,7 @@ To resolve this, you can either: 3. Save your changes. 2. Reconfigure your Keycloak OIDC setup using a user that is assigned to at least one group in Keycloak. + +## Configuring OIDC Single Logout (SLO) + + \ No newline at end of file diff --git a/docs/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md b/docs/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md index afc0f04adce..9438d0dc8db 100644 --- a/docs/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md +++ b/docs/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md @@ -120,6 +120,18 @@ For a breakdown of the port requirements for etcd nodes, controlplane nodes, and Details on which ports are used in each situation are found under [Downstream Cluster Port Requirements](../../../getting-started/installation-and-upgrade/installation-requirements/port-requirements.md#downstream-kubernetes-cluster-nodes). +### IPv6 Address Requirements + +Rancher supports clusters configured with IPv4-only, IPv6-only, or dual-stack networking. + +You must provision each node with at least one valid IPv4 address, one IPv6 address, or both, according to the cluster networking configuration. + +For IPv6-only environments, ensure you correctly configure the operating system and that the `/etc/hosts` file includes a valid localhost entry, for example: + +``` +::1 localhost +``` + :::caution You should never register a node with the same hostname or IP address as an existing node. Doing so causes RKE to prevent the node from joining, and provisioning to hang. This can occur for both node driver and custom clusters. If a node must reuse a hostname or IP of an existing node, you must set the `hostname_override` [RKE option](https://rke.docs.rancher.com/config-options/nodes#overriding-the-hostname) before registering the node, so that it can join correctly. diff --git a/docs/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-cloud-providers/amazon.md b/docs/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-cloud-providers/amazon.md index b49ca3f3ca3..fa19e811043 100644 --- a/docs/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-cloud-providers/amazon.md +++ b/docs/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-cloud-providers/amazon.md @@ -299,7 +299,7 @@ rancher_kubernetes_engine_config: useInstanceMetadataHostname: true ``` -You must not enable `useInstanceMetadataHostname` when setting custom values for `hostname-override` for custom clusters. When you create a [custom cluster](../../../../reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/use-existing-nodes.md), add [`--node-name`](../../../../reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md) to the `docker run` node registration command to set `hostname-override` — for example, `"$(hostname -f)"`. This can be done manually or by using **Show Advanced Options** in the Rancher UI to add **Node Name**. +You must not enable `useInstanceMetadataHostname` when setting custom values for `hostname-override` for custom clusters. When you create a [custom cluster](../../../../reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/use-existing-nodes.md), add `--node-name` to the `docker run` node registration command to set `hostname-override` — for example, `"$(hostname -f)"`. This can be done manually or by using **Show Advanced Options** in the Rancher UI to add **Node Name**. 2. Select the cloud provider. diff --git a/docs/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/use-windows-clusters/use-windows-clusters.md b/docs/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/use-windows-clusters/use-windows-clusters.md index 49f642caecc..0225b40c65e 100644 --- a/docs/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/use-windows-clusters/use-windows-clusters.md +++ b/docs/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/use-windows-clusters/use-windows-clusters.md @@ -103,11 +103,11 @@ The `worker` nodes, which is where your workloads will be deployed on, will typi We recommend the minimum three-node architecture listed in the table below, but you can always add more Linux and Windows workers to scale up your cluster for redundancy: -| Node | Operating System | Kubernetes Cluster Role(s) | Purpose | -| ------ | --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | -| Node 1 | Linux (Ubuntu Server 18.04 recommended) | Control plane, etcd, worker | Manage the Kubernetes cluster | -| Node 2 | Linux (Ubuntu Server 18.04 recommended) | Worker | Support the Rancher Cluster agent, Metrics server, DNS, and Ingress for the cluster | -| Node 3 | Windows (Windows Server core version 1809 or above) | Worker | Run your Windows containers | +| Node | Operating System | Kubernetes Cluster Role(s) | Purpose | +|--------|----------------------------------------------------------------------------------------|-----------------------------|-------------------------------------------------------------------------------------| +| Node 1 | Linux (Ubuntu Server 18.04 recommended) | Control plane, etcd, worker | Manage the Kubernetes cluster | +| Node 2 | Linux (Ubuntu Server 18.04 recommended) | Worker | Support the Rancher Cluster agent, Metrics server, DNS, and Ingress for the cluster | +| Node 3 | Windows (Windows Server core version 1809 or above required, version 2022 recommended) | Worker | Run your Windows containers | ### Container Requirements @@ -126,8 +126,6 @@ If you are using the GCE (Google Compute Engine) cloud provider, you must do the This tutorial describes how to create a Rancher-provisioned cluster with the three nodes in the [recommended architecture.](#recommended-architecture) -When you provision a cluster with Rancher on existing nodes, you add nodes to the cluster by installing the [Rancher agent](../../../../reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md) on each one. To create or edit your cluster from the Rancher UI, run the **Registration Command** on each server to add it to your cluster. - To set up a cluster with support for Windows nodes and containers, you will need to complete the tasks below. ### 1. Provision Hosts @@ -142,15 +140,15 @@ Your hosts can be: You will provision three nodes: -- One Linux node, which manages the Kubernetes control plane and stores your `etcd` +- One Linux node, which manages the Kubernetes control plane, stores your `etcd`, and optionally be a worker node - A second Linux node, which will be another worker node - The Windows node, which will run your Windows containers as a worker node -| Node | Operating System | -| ------ | ------------------------------------------------------------ | -| Node 1 | Linux (Ubuntu Server 18.04 recommended) | -| Node 2 | Linux (Ubuntu Server 18.04 recommended) | -| Node 3 | Windows (Windows Server core version 1809 or above required) | +| Node | Operating System | +|--------|----------------------------------------------------------------------------------------| +| Node 1 | Linux (Ubuntu Server 18.04 recommended) | +| Node 2 | Linux (Ubuntu Server 18.04 recommended) | +| Node 3 | Windows (Windows Server core version 1809 or above required, version 2022 recommended) | If your nodes are hosted by a **Cloud Provider** and you want automation support such as loadbalancers or persistent storage devices, your nodes have additional configuration requirements. For details, see [Selecting Cloud Providers.](../set-up-cloud-providers/set-up-cloud-providers.md) @@ -164,11 +162,11 @@ The instructions for creating a Windows cluster on existing nodes are very simil 1. Enter a name for your cluster in the **Cluster Name** field. 1. In the **Kubernetes Version** dropdown menu, select a supported Kubernetes version. 1. In the **Container Network** field, select either **Calico** or **Flannel**. -1. Click **Next**. +1. Click **Create**. ### 3. Add Nodes to the Cluster -This section describes how to register your Linux and Worker nodes to your cluster. You will run a command on each node, which will install the Rancher agent and allow Rancher to manage each node. +This section describes how to register your Linux and Worker nodes to your cluster. You will run a command on each node, which will install the rancher system agent and allow Rancher to manage each node. #### Add Linux Master Node @@ -177,23 +175,18 @@ In this section, we fill out a form on the Rancher UI to get a custom command to The first node in your cluster should be a Linux host that has both the **Control Plane** and **etcd** roles. At a minimum, both of these roles must be enabled for this node, and this node must be added to your cluster before you can add Windows hosts. 1. After cluster creation, navigate to the **Registration** tab. -1. In **Step 1** under the **Node Role** section, select at least **etcd** and **Control Plane**. We recommend selecting all three. -1. Optional: If you click **Show advanced options,** you can customize the settings for the [Rancher agent](../../../../reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md) and [node labels.](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) +1. In **Step 1** under the **Node Role** section, select all three roles. Although you can choose only the **etcd** and **Control Plane** roles, we recommend selecting all three. +1. Optional: If you click **Show Advanced**, you can configure additional settings such as specifying the IP address(es), overriding the node hostname, or adding [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) or [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) to the node. 1. In **Step 2**, under the **Registration** section, copy the command displayed on the screen to your clipboard. 1. SSH into your Linux host and run the command that you copied to your clipboard. -**Result:** +**Results:** -Your cluster is created and assigned a state of **Provisioning**. Rancher is standing up your cluster. +Your cluster is created and assigned a state of **Updating**. Rancher is standing up your cluster. -You can access your cluster after its state is updated to **Active**. +It may take a few minutes for the node to register and appear under the **Machines** tab. -**Active** clusters are assigned two Projects: - -- `Default`, containing the `default` namespace -- `System`, containing the `cattle-system`, `ingress-nginx`, `kube-public`, and `kube-system` namespaces - -It may take a few minutes for the node to be registered in your cluster. +You’ll be able to access the cluster once its state changes to **Active**. #### Add Linux Worker Node @@ -203,11 +196,13 @@ After the initial provisioning of your cluster, your cluster only has a single L 1. After cluster creation, navigate to the **Registration** tab. 1. In **Step 1** under the **Node Role** section, select **Worker**. -1. Optional: If you click **Show advanced options,** you can customize the settings for the [Rancher agent](../../../../reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md) and [node labels.](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) +1. Optional: If you click **Show Advanced**, you can configure additional settings such as specifying the IP address(es), overriding the node hostname, or to add [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) or [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) to the node. 1. In **Step 2**, under the **Registration** section, copy the command displayed on the screen to your clipboard. 1. SSH into your Linux host and run the command that you copied to your clipboard. -**Result:** The **Worker** role is installed on your Linux host, and the node registers with Rancher. It may take a few minutes for the node to be registered in your cluster. +**Results:** + +The **Worker** role is installed on your Linux host, and the node registers with Rancher. It may take a few minutes for the node to be registered in your cluster. :::note @@ -216,7 +211,7 @@ Taints on Linux Worker Nodes For each Linux worker node added into the cluster, the following taints will be added to Linux worker node. By adding this taint to the Linux worker node, any workloads added to the Windows cluster will be automatically scheduled to the Windows worker node. If you want to schedule workloads specifically onto the Linux worker node, you will need to add tolerations to those workloads. | Taint Key | Taint Value | Taint Effect | -| -------------- | ----------- | ------------ | +|----------------|-------------|--------------| | `cattle.io/os` | `linux` | `NoSchedule` | ::: @@ -231,12 +226,16 @@ The registration command to add the Windows workers only appears after the clust 1. After cluster creation, navigate to the **Registration** tab. 1. In **Step 1** under the **Node Role** section, select **Worker**. -1. Optional: If you click **Show advanced options,** you can customize the settings for the [Rancher agent](../../../../reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md) and [node labels.](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) +1. Optional: If you click **Show Advanced**, you can configure additional settings such as specifying the IP address(es), overriding the node hostname, or adding [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) or [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) to the node. 1. In **Step 2**, under the **Registration** section, copy the command for Windows workers displayed on the screen to your clipboard. -1. Log in to your Windows host using your preferred tool, such as [Microsoft Remote Desktop](https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients). Run the command copied to your clipboard in the **Command Prompt (CMD)**. +1. Log in to your Windows host using your preferred tool, such as [Microsoft Remote Desktop](https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients). Run the command copied to your clipboard in the **PowerShell Console** as an Administrator. 1. Optional: Repeat these instructions if you want to add more Windows nodes to your cluster. -**Result:** The **Worker** role is installed on your Windows host, and the node registers with Rancher. It may take a few minutes for the node to be registered in your cluster. You now have a Windows Kubernetes cluster. +**Results:** + +The **Worker** role is installed on your Windows host, and the node registers with Rancher. It may take a few minutes for the node to be registered in your cluster. + +You now have a Windows Kubernetes cluster. ### Optional Next Steps diff --git a/docs/how-to-guides/new-user-guides/launch-kubernetes-with-rancher/use-new-nodes-in-an-infra-provider/create-an-amazon-ec2-cluster.md b/docs/how-to-guides/new-user-guides/launch-kubernetes-with-rancher/use-new-nodes-in-an-infra-provider/create-an-amazon-ec2-cluster.md index 11231c88c5a..07b28f311fa 100644 --- a/docs/how-to-guides/new-user-guides/launch-kubernetes-with-rancher/use-new-nodes-in-an-infra-provider/create-an-amazon-ec2-cluster.md +++ b/docs/how-to-guides/new-user-guides/launch-kubernetes-with-rancher/use-new-nodes-in-an-infra-provider/create-an-amazon-ec2-cluster.md @@ -20,7 +20,8 @@ Then you will create an EC2 cluster in Rancher, and when configuring the new clu - [Example IAM Policy](#example-iam-policy) - [Example IAM Policy with PassRole](#example-iam-policy-with-passrole) (needed if you want to use [Kubernetes Cloud Provider](../../kubernetes-clusters-in-rancher-setup/set-up-cloud-providers/set-up-cloud-providers.md) or want to pass an IAM Profile to an instance) - [Example IAM Policy to allow encrypted EBS volumes](#example-iam-policy-to-allow-encrypted-ebs-volumes) -- **IAM Policy added as Permission** to the user. See [Amazon Documentation: Adding Permissions to a User (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) how to attach it to an user. +- **IAM Policy added as Permission** to the user. See [Amazon Documentation: Adding Permissions to a User (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) how to attach it to a user. +- **IPv4-only or IPv6-only or dual-stack subnet and/or VPC** where nodes can be provisioned and assigned IPv4 and/or IPv6 addresses. See [Amazon Documentation: IPv6 support for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-migrate-ipv6.html). ## Creating an EC2 Cluster diff --git a/docs/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md b/docs/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md index f01b4856810..27ab8e1b60d 100644 --- a/docs/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md +++ b/docs/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md @@ -19,10 +19,7 @@ In order to deploy and run the adapter successfully, you need to ensure its vers | Rancher Version | Adapter Version | |-----------------|------------------| -| v2.12.3 | 107.0.0+up7.0.0 | -| v2.12.2 | 107.0.0+up7.0.0 | -| v2.12.1 | 107.0.0+up7.0.0 | -| v2.12.0 | 107.0.0+up7.0.0 | +| v2.13.0 | 108.0.0+up8.0.0 | ### 1. Gain Access to the Local Cluster diff --git a/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/amazon-ec2.md b/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/amazon-ec2.md index 4640d142697..e9ac92a352e 100644 --- a/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/amazon-ec2.md +++ b/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/amazon-ec2.md @@ -80,3 +80,18 @@ Use [Instance Metadata Service Version 2 (IMDSv2)](https://docs.aws.amazon.com/A Add metadata using [tags](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html) to categorize resources. +### IPv6 Address Count + +Specify how many IPv6 addresses to assign to the instance’s network interface. + +### IPv6 Address Only + +Enable this option if the instance should use IPv6 exclusively. IPv6-only VPCs or subnets require this. When enabled, the instance will have IPv6 as its sole address, and the IPv6 Address Count must be greater than zero. + +### HTTP Protocol IPv6 + +Enable or disable IPv6 endpoints for the instance metadata service. + +### Enable Primary IPv6 + +Enable this option to designate the first assigned IPv6 address as the primary address. This ensures a consistent, non-changing IPv6 address for the instance. It does not control whether IPv6 addresses are assigned. diff --git a/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/digitalocean.md b/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/digitalocean.md index 634c7f48561..0c8662b46a3 100644 --- a/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/digitalocean.md +++ b/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/digitalocean.md @@ -28,6 +28,8 @@ Enable the DigitalOcean agent for additional [monitoring](https://docs.digitaloc Enable IPv6 for Droplets. +For more information, refer to the [Digital Ocean IPv6 documentation](https://docs.digitalocean.com/products/networking/ipv6). + ### Private Networking Enable private networking for Droplets. diff --git a/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/google-gce.md b/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/google-gce.md index 6c320f3b3d4..85c77d64b17 100644 --- a/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/google-gce.md +++ b/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/google-gce.md @@ -71,7 +71,7 @@ Tags is a list of _network tags_, which can be used to associate preexisting Fir ### Labels -A comma seperated list of custom labels to be attached to all VMs within a given machine pool. Unlike Tags, Labels do not influence networking behavior and only serve to organize cloud resources. +A comma separated list of custom labels to be attached to all VMs within a given machine pool. Unlike Tags, Labels do not influence networking behavior and only serve to organize cloud resources. ## Advanced Options diff --git a/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/machine-configuration.md b/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/machine-configuration.md index cff1dada268..b9515bade61 100644 --- a/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/machine-configuration.md +++ b/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/machine-configuration.md @@ -6,4 +6,4 @@ title: Machine Configuration -Machine configuration is the arrangement of resources assigned to a virtual machine. Please see the docs for [Amazon EC2](amazon-ec2.md), [DigitalOcean](digitalocean.md), and [Azure](azure.md) to learn more. \ No newline at end of file +Machine configuration is the arrangement of resources assigned to a virtual machine. Please see the docs for [Amazon EC2](amazon-ec2.md), [DigitalOcean](digitalocean.md), [Google GCE](google-gce.md), and [Azure](azure.md) to learn more. diff --git a/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/node-template-configuration/node-template-configuration.md b/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/node-template-configuration/node-template-configuration.md index e0f9ba4105d..693a225a9f7 100644 --- a/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/node-template-configuration/node-template-configuration.md +++ b/docs/reference-guides/cluster-configuration/downstream-cluster-configuration/node-template-configuration/node-template-configuration.md @@ -6,4 +6,6 @@ title: Node Template Configuration + + To learn about node template config, refer to [EC2 Node Template Configuration](amazon-ec2.md), [DigitalOcean Node Template Configuration](digitalocean.md), [Azure Node Template Configuration](azure.md), [vSphere Node Template Configuration](vsphere.md), and [Nutanix Node Template Configuration](nutanix.md). diff --git a/docs/reference-guides/cluster-configuration/rancher-server-configuration/gke-cluster-configuration/gke-cluster-configuration.md b/docs/reference-guides/cluster-configuration/rancher-server-configuration/gke-cluster-configuration/gke-cluster-configuration.md index 43258e491c4..a604d75ef3d 100644 --- a/docs/reference-guides/cluster-configuration/rancher-server-configuration/gke-cluster-configuration/gke-cluster-configuration.md +++ b/docs/reference-guides/cluster-configuration/rancher-server-configuration/gke-cluster-configuration/gke-cluster-configuration.md @@ -63,7 +63,15 @@ Enable network policy enforcement on the cluster. A network policy defines the l _Mutable: yes_ -choose whether to enable or disable inter-project communication. Note that enabling Project Network Isolation will automatically enable Network Policy and Network Policy Config, but not vice versa. +Choose whether to enable or disable inter-project communication. + +#### Imported Clusters + +For imported clusters, Project Network Isolation (PNI) requires Kubernetes Network Policy to be enabled on the cluster beforehand. +For clusters created by Rancher, Rancher enables Kubernetes Network Policy automatically. + +1. In GKE, enable Network Policy at the cluster level. Refer to the [official GKE guide](https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy) for instructions. +1. After enabling Network Policy, import the cluster into Rancher and enable PNI for project-level isolation. ### Node Ipv4 CIDR Block diff --git a/docs/reference-guides/cluster-configuration/rancher-server-configuration/k3s-cluster-configuration.md b/docs/reference-guides/cluster-configuration/rancher-server-configuration/k3s-cluster-configuration.md index 6ec07fe1906..cd185c88983 100644 --- a/docs/reference-guides/cluster-configuration/rancher-server-configuration/k3s-cluster-configuration.md +++ b/docs/reference-guides/cluster-configuration/rancher-server-configuration/k3s-cluster-configuration.md @@ -13,7 +13,7 @@ This section covers the configuration options that are available in Rancher for You can configure the Kubernetes options one of two ways: - [Rancher UI](#configuration-options-in-the-rancher-ui): Use the Rancher UI to select options that are commonly customized when setting up a Kubernetes cluster. -- [Cluster Config File](#cluster-config-file-reference): Instead of using the Rancher UI to choose Kubernetes options for the cluster, advanced users can create a K3s config file. Using a config file allows you to set any of the [options](https://rancher.com/docs/k3s/latest/en/installation/install-options/) available in an K3s installation. +- [Cluster Config File](#cluster-config-file-reference): Instead of using the Rancher UI to choose Kubernetes options for the cluster, advanced users can create a K3s config file. Using a config file lets you set any of the [options](https://rancher.com/docs/k3s/latest/en/installation/install-options/) available during a K3s installation. ## Editing Clusters in the Rancher UI @@ -32,7 +32,7 @@ To edit your cluster, ### Editing Clusters in YAML -For a complete reference of configurable options for K3s clusters in YAML, see the [K3s documentation.](https://rancher.com/docs/k3s/latest/en/installation/install-options/) +For a complete reference of configurable options for K3s clusters in YAML, see the [K3s documentation](https://docs.k3s.io/installation/configuration). To edit your cluster with YAML: @@ -48,7 +48,8 @@ This subsection covers generic machine pool configurations. For specific infrast - [Azure](../downstream-cluster-configuration/machine-configuration/azure.md) - [DigitalOcean](../downstream-cluster-configuration/machine-configuration/digitalocean.md) -- [EC2](../downstream-cluster-configuration/machine-configuration/amazon-ec2.md) +- [Amazon EC2](../downstream-cluster-configuration/machine-configuration/amazon-ec2.md) +- [Google GCE](../downstream-cluster-configuration/machine-configuration/google-gce.md) ##### Pool Name @@ -86,9 +87,9 @@ Add [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-tolerat #### Basics ##### Kubernetes Version -The version of Kubernetes installed on your cluster nodes. Rancher packages its own version of Kubernetes based on [hyperkube](https://github.com/rancher/hyperkube). +The version of Kubernetes installed on your cluster nodes. -For more detail, see [Upgrading Kubernetes](../../../getting-started/installation-and-upgrade/upgrade-and-roll-back-kubernetes.md). +For details on upgrading or rolling back Kubernetes, refer to [this guide](../../../getting-started/installation-and-upgrade/upgrade-and-roll-back-kubernetes.md). ##### Pod Security Admission Configuration Template @@ -108,7 +109,7 @@ Option to enable or disable [SELinux](https://rancher.com/docs/k3s/latest/en/adv ##### CoreDNS -By default, [CoreDNS](https://coredns.io/) is installed as the default DNS provider. If CoreDNS is not installed, an alternate DNS provider must be installed yourself. Refer to the [K3s documentation](https://rancher.com/docs/k3s/latest/en/networking/#coredns) for details.. +By default, [CoreDNS](https://coredns.io/) is installed as the default DNS provider. If CoreDNS is not installed, an alternate DNS provider must be installed yourself. Refer to the [K3s documentation](https://rancher.com/docs/k3s/latest/en/networking/#coredns) for details. ##### Klipper Service LB @@ -148,15 +149,49 @@ Option to choose whether to expose etcd metrics to the public or only within the ##### Cluster CIDR -IPv4/IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16). +IPv4/IPv6 network CIDRs to use for pod IPs (default: `10.42.0.0/16`). + +Example values: + +- IPv4-only: `10.42.0.0/16` +- IPv6-only: `2001:cafe:42::/56` +- Dual-stack: `10.42.0.0/16,2001:cafe:42::/56` + +For additional requirements and limitations related to dual-stack or IPv6-only networking, see the following resources: + +- [K3s documentation: Dual-stack (IPv4 + IPv6) Networking](https://docs.k3s.io/networking/basic-network-options#dual-stack-ipv4--ipv6-networking) +- [K3s documentation: Single-stack IPv6 Networking](https://docs.k3s.io/networking/basic-network-options#single-stack-ipv6-networking) + +:::caution + +You must configure the Service CIDR when you first create the cluster. You cannot enable the Service CIDR on an existing cluster after it starts. + +::: ##### Service CIDR -IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16). +IPv4/IPv6 network CIDRs to use for service IPs (default: `10.43.0.0/16`). + +Example values: + +- IPv4-only: `10.43.0.0/16` +- IPv6-only: `2001:cafe:43::/112` +- Dual-stack: `10.43.0.0/16,2001:cafe:43::/112` + +For additional requirements and limitations related to dual-stack or IPv6-only networking, see the following resources: + +- [K3s documentation: Dual-stack (IPv4 + IPv6) Networking](https://docs.k3s.io/networking/basic-network-options#dual-stack-ipv4--ipv6-networking) +- [K3s documentation: Single-stack IPv6 Networking](https://docs.k3s.io/networking/basic-network-options#single-stack-ipv6-networking) + +:::caution + +You must configure the Service CIDR when you first create the cluster. You cannot enable the Service CIDR on an existing cluster after it starts. + +::: ##### Cluster DNS -IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10). +IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: `10.43.0.10`). ##### Cluster Domain @@ -168,11 +203,11 @@ Option to change the range of ports that can be used for [NodePort services](htt ##### Truncate Hostnames -Option to truncate hostnames to 15 characters or less. You can only set this field during the initial creation of the cluster. You can't enable or disable the 15 character limit after cluster creation. +Option to truncate hostnames to 15 characters or fewer. You can only set this field during the initial creation of the cluster. You can't enable or disable the 15-character limit after cluster creation. This setting only affects machine-provisioned clusters. Since custom clusters set hostnames during their own node creation process, which occurs outside of Rancher, this field doesn't restrict custom cluster hostname length. -Truncating hostnames in a cluster improves compatibility with Windows-based systems. Although Kubernetes allows hostnames up to 63 characters in length, systems that use NetBIOS restrict hostnames to 15 characters or less. +Truncating hostnames in a cluster improves compatibility with Windows-based systems. Although Kubernetes allows hostnames up to 63 characters in length, systems that use NetBIOS restrict hostnames to 15 characters or fewer. ##### TLS Alternate Names @@ -186,6 +221,33 @@ For more detail on how an authorized cluster endpoint works and why it is used, We recommend using a load balancer with the authorized cluster endpoint. For details, refer to the [recommended architecture section.](../../rancher-manager-architecture/architecture-recommendations.md#architecture-for-an-authorized-cluster-endpoint-ace) +##### Stack Preference + +Choose the networking stack for the cluster. This option affects: + +- The address used for health and readiness probes of components such as Calico, etcd, kube-apiserver, kube-scheduler, kube-controller-manager, and kubelet. +- The server URL in the `authentication-token-webhook-config-file` for the Authorized Cluster Endpoint. +- The `advertise-client-urls` setting for etcd during snapshot restoration. + +Options are `ipv4`, `ipv6`, `dual`: + +- When set to `ipv4`, the cluster uses `127.0.0.1` +- When set to `ipv6`, the cluster uses `[::1]` +- When set to `dual`, the cluster uses `localhost` + +The stack preference must match the cluster’s networking configuration: + +- Set to `ipv4` for IPv4-only clusters +- Set to `ipv6` for IPv6-only clusters +- Set to `dual` for dual-stack clusters + +:::caution + +Ensuring the loopback address configuration is correct is critical for successful cluster provisioning. +For more information, refer to the [Node Requirements](../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md) page. + +::: + #### Registries Select the image repository to pull Rancher images from. For more details and configuration options, see the [K3s documentation](https://rancher.com/docs/k3s/latest/en/installation/private-registry/). diff --git a/docs/reference-guides/cluster-configuration/rancher-server-configuration/rke2-cluster-configuration.md b/docs/reference-guides/cluster-configuration/rancher-server-configuration/rke2-cluster-configuration.md index f1c66ff4960..a8404dbfece 100644 --- a/docs/reference-guides/cluster-configuration/rancher-server-configuration/rke2-cluster-configuration.md +++ b/docs/reference-guides/cluster-configuration/rancher-server-configuration/rke2-cluster-configuration.md @@ -32,7 +32,7 @@ To edit your cluster, ### Editing Clusters in YAML -For a complete reference of configurable options for K3s clusters in YAML, see the [K3s documentation.](https://rancher.com/docs/k3s/latest/en/installation/install-options/) +For a complete reference of configurable options for RKE2 clusters in YAML, see the [RKE2 documentation](https://docs.rke2.io/install/configuration). To edit your cluster in YAML: @@ -48,7 +48,8 @@ This subsection covers generic machine pool configurations. For specific infrast - [Azure](../downstream-cluster-configuration/machine-configuration/azure.md) - [DigitalOcean](../downstream-cluster-configuration/machine-configuration/digitalocean.md) -- [EC2](../downstream-cluster-configuration/machine-configuration/amazon-ec2.md) +- [Amazon EC2](../downstream-cluster-configuration/machine-configuration/amazon-ec2.md) +- [Google GCE](../downstream-cluster-configuration/machine-configuration/google-gce.md) ##### Pool Name @@ -86,9 +87,9 @@ Add [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-tolerat #### Basics ##### Kubernetes Version -The version of Kubernetes installed on your cluster nodes. Rancher packages its own version of Kubernetes based on [hyperkube](https://github.com/rancher/hyperkube). +The version of Kubernetes installed on your cluster nodes. -For more detail, see [Upgrading Kubernetes](../../../getting-started/installation-and-upgrade/upgrade-and-roll-back-kubernetes.md). +For details on upgrading or rolling back Kubernetes, refer to [this guide](../../../getting-started/installation-and-upgrade/upgrade-and-roll-back-kubernetes.md). ##### Container Network Provider @@ -105,20 +106,19 @@ Out of the box, Rancher is compatible with the following network providers: - [Canal](https://github.com/projectcalico/canal) - [Cilium](https://cilium.io/)* - [Calico](https://docs.projectcalico.org/v3.11/introduction/) +- [Flannel](https://github.com/flannel-io/flannel) - [Multus](https://github.com/k8snetworkplumbingwg/multus-cni) \* When using [project network isolation](#project-network-isolation) in the [Cilium CNI](../../../faq/container-network-interface-providers.md#cilium), it is possible to enable cross-node ingress routing. Click the [CNI provider docs](../../../faq/container-network-interface-providers.md#ingress-routing-across-nodes-in-cilium) to learn more. -For more details on the different networking providers and how to configure them, please view our [RKE2 documentation](https://docs.rke2.io/install/network_options). +For more details on the different networking providers and how to configure them, please view our [RKE2 documentation](https://docs.rke2.io/networking/basic_network_options). -###### Dual-stack Networking - -[Dual-stack](https://docs.rke2.io/install/network_options#dual-stack-configuration) networking is supported for all CNI providers. To configure RKE2 in dual-stack mode, set valid IPv4/IPv6 CIDRs for your [Cluster CIDR](#cluster-cidr) and/or [Service CIDR](#service-cidr). - -###### Dual-stack Additional Configuration +:::caution When using `cilium` or `multus,cilium` as your container network interface provider, ensure the **Enable IPv6 Support** option is also enabled. +::: + ##### Cloud Provider You can configure a [Kubernetes cloud provider](../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-cloud-providers/set-up-cloud-providers.md). If you want to use dynamically provisioned [volumes and storage](../../../how-to-guides/new-user-guides/manage-clusters/create-kubernetes-persistent-storage/create-kubernetes-persistent-storage.md) in Kubernetes, typically you must select the specific cloud provider in order to use it. For example, if you want to use Amazon EBS, you would need to select the `aws` cloud provider. @@ -181,27 +181,62 @@ Option to choose whether to expose etcd metrics to the public or only within the ##### Cluster CIDR -IPv4 and/or IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16). +IPv4 and/or IPv6 network CIDRs to use for pod IPs (default: `10.42.0.0/16`). -###### Dual-stack Networking +Example values: -To configure [dual-stack](https://docs.rke2.io/install/network_options#dual-stack-configuration) mode, enter a valid IPv4/IPv6 CIDR. For example `10.42.0.0/16,2001:cafe:42:0::/56`. +- IPv4-only: `10.42.0.0/16` +- IPv6-only: `2001:cafe:42::/56` +- Dual-stack: `10.42.0.0/16,2001:cafe:42::/56` -[Additional configuration](#dual-stack-additional-configuration) is required when using `cilium` or `multus,cilium` as your [container network](#container-network-provider) interface provider. + +For additional requirements and limitations related to dual-stack or IPv6-only networking, see the following resources: + +- [RKE2 documentation: Dual-stack configuration](https://docs.rke2.io/networking/basic_network_options#dual-stack-configuration) +- [RKE2 documentation: IPv6-only setup](https://docs.rke2.io/networking/basic_network_options#ipv6-setup) + +:::caution + +You must configure the Service CIDR when you first create the cluster. You cannot enable the Service CIDR on an existing cluster after it starts. + +::: + +:::caution + +When using `cilium` or `multus,cilium` as your container network interface provider, ensure the **Enable IPv6 Support** option is also enabled. + +::: ##### Service CIDR -IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16). +IPv4/IPv6 network CIDRs to use for service IPs (default: `10.43.0.0/16`). -###### Dual-stack Networking +Example values: -To configure [dual-stack](https://docs.rke2.io/install/network_options#dual-stack-configuration) mode, enter a valid IPv4/IPv6 CIDR. For example `10.42.0.0/16,2001:cafe:42:0::/56`. +- IPv4-only: `10.43.0.0/16` +- IPv6-only: `2001:cafe:43::/112` +- Dual-stack: `10.43.0.0/16,2001:cafe:43::/112` -[Additional configuration](#dual-stack-additional-configuration) is required when using `cilium ` or `multus,cilium` as your [container network](#container-network-provider) interface provider. +For additional requirements and limitations related to dual-stack or IPv6-only networking, see the following resources: + +- [RKE2 documentation: Dual-stack configuration](https://docs.rke2.io/networking/basic_network_options#dual-stack-configuration) +- [RKE2 documentation: IPv6-only setup](https://docs.rke2.io/networking/basic_network_options#ipv6-setup) + +:::caution + +You must configure the Service CIDR when you first create the cluster. You cannot enable the Service CIDR on an existing cluster after it starts. + +::: + +:::caution + +When using `cilium` or `multus,cilium` as your container network interface provider, ensure the **Enable IPv6 Support** option is also enabled. + +::: ##### Cluster DNS -IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10). +IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: `10.43.0.10`). ##### Cluster Domain @@ -213,11 +248,11 @@ Option to change the range of ports that can be used for [NodePort services](htt ##### Truncate Hostnames -Option to truncate hostnames to 15 characters or less. You can only set this field during the initial creation of the cluster. You can't enable or disable the 15 character limit after cluster creation. +Option to truncate hostnames to 15 characters or fewer. You can only set this field during the initial creation of the cluster. You can't enable or disable the 15-character limit after cluster creation. This setting only affects machine-provisioned clusters. Since custom clusters set hostnames during their own node creation process, which occurs outside of Rancher, this field doesn't restrict custom cluster hostname length. -Truncating hostnames in a cluster improves compatibility with Windows-based systems. Although Kubernetes allows hostnames up to 63 characters in length, systems that use NetBIOS restrict hostnames to 15 characters or less. +Truncating hostnames in a cluster improves compatibility with Windows-based systems. Although Kubernetes allows hostnames up to 63 characters in length, systems that use NetBIOS restrict hostnames to 15 characters or fewer. ##### TLS Alternate Names @@ -233,6 +268,33 @@ For more detail on how an authorized cluster endpoint works and why it is used, We recommend using a load balancer with the authorized cluster endpoint. For details, refer to the [recommended architecture section.](../../rancher-manager-architecture/architecture-recommendations.md#architecture-for-an-authorized-cluster-endpoint-ace) +##### Stack Preference + +Choose the networking stack for the cluster. This option affects: + +- The address used for health and readiness probes of components such as Calico, etcd, kube-apiserver, kube-scheduler, kube-controller-manager, and kubelet. +- The server URL in the `authentication-token-webhook-config-file` for the Authorized Cluster Endpoint. +- The `advertise-client-urls` setting for etcd during snapshot restoration. + +Options are `ipv4`, `ipv6`, `dual`: + +- When set to `ipv4`, the cluster uses `127.0.0.1` +- When set to `ipv6`, the cluster uses `[::1]` +- When set to `dual`, the cluster uses `localhost` + +The stack preference must match the cluster’s networking configuration: + +- Set to `ipv4` for IPv4-only clusters +- Set to `ipv6` for IPv6-only clusters +- Set to `dual` for dual-stack clusters + +:::caution + +Ensuring the loopback address configuration is correct is critical for successful cluster provisioning. +For more information, refer to the [Node Requirements](../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md) page. + +::: + #### Registries Select the image repository to pull Rancher images from. For more details and configuration options, see the [RKE2 documentation](https://docs.rke2.io/install/private_registry). diff --git a/docs/reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md b/docs/reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md deleted file mode 100644 index 183cdb4f558..00000000000 --- a/docs/reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: Rancher Agent Options ---- - - - - - -Rancher deploys an agent on each node to communicate with the node. This pages describes the options that can be passed to the agent. To use these options, you will need to [create a cluster with custom nodes](use-existing-nodes.md) and add the options to the generated `docker run` command when adding a node. - -For an overview of how Rancher communicates with downstream clusters using node agents, refer to the [architecture section.](../../../rancher-manager-architecture/communicating-with-downstream-user-clusters.md#3-node-agents) - -## General options - -| Parameter | Environment variable | Description | -| ---------- | -------------------- | ----------- | -| `--server` | `CATTLE_SERVER` | The configured Rancher `server-url` setting which the agent connects to | -| `--token` | `CATTLE_TOKEN` | Token that is needed to register the node in Rancher | -| `--ca-checksum` | `CATTLE_CA_CHECKSUM` | The SHA256 checksum of the configured Rancher `cacerts` setting to validate | -| `--node-name` | `CATTLE_NODE_NAME` | Override the hostname that is used to register the node (defaults to `hostname -s`) | -| `--label` | `CATTLE_NODE_LABEL` | Add node labels to the node. For multiple labels, pass additional `--label` options. (`--label key=value`) | -| `--taints` | `CATTLE_NODE_TAINTS` | Add node taints to the node. For multiple taints, pass additional `--taints` options. (`--taints key=value:effect`) | - -## Role options - -| Parameter | Environment variable | Description | -| ---------- | -------------------- | ----------- | -| `--all-roles` | `ALL=true` | Apply all roles (`etcd`,`controlplane`,`worker`) to the node | -| `--etcd` | `ETCD=true` | Apply the role `etcd` to the node | -| `--controlplane` | `CONTROL=true` | Apply the role `controlplane` to the node | -| `--worker` | `WORKER=true` | Apply the role `worker` to the node | - -## IP address options - -| Parameter | Environment variable | Description | -| ---------- | -------------------- | ----------- | -| `--address` | `CATTLE_ADDRESS` | The IP address the node will be registered with (defaults to the IP used to reach `8.8.8.8`) | -| `--internal-address` | `CATTLE_INTERNAL_ADDRESS` | The IP address used for inter-host communication on a private network | - -### Dynamic IP address options - -For automation purposes, you can't have a specific IP address in a command as it has to be generic to be used for every node. For this, we have dynamic IP address options. They are used as a value to the existing IP address options. This is supported for `--address` and `--internal-address`. - -| Value | Example | Description | -| ---------- | -------------------- | ----------- | -| Interface name | `--address eth0` | The first configured IP address will be retrieved from the given interface | -| `ipify` | `--address ipify` | Value retrieved from `https://api.ipify.org` will be used | -| `awslocal` | `--address awslocal` | Value retrieved from `http://169.254.169.254/latest/meta-data/local-ipv4` will be used | -| `awspublic` | `--address awspublic` | Value retrieved from `http://169.254.169.254/latest/meta-data/public-ipv4` will be used | -| `doprivate` | `--address doprivate` | Value retrieved from `http://169.254.169.254/metadata/v1/interfaces/private/0/ipv4/address` will be used | -| `dopublic` | `--address dopublic` | Value retrieved from `http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/address` will be used | -| `azprivate` | `--address azprivate` | Value retrieved from `http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/privateIpAddress?api-version=2017-08-01&format=text` will be used | -| `azpublic` | `--address azpublic` | Value retrieved from `http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-08-01&format=text` will be used | -| `gceinternal` | `--address gceinternal` | Value retrieved from `http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip` will be used | -| `gceexternal` | `--address gceexternal` | Value retrieved from `http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip` will be used | -| `packetlocal` | `--address packetlocal` | Value retrieved from `https://metadata.packet.net/2009-04-04/meta-data/local-ipv4` will be used | -| `packetpublic` | `--address packetlocal` | Value retrieved from `https://metadata.packet.net/2009-04-04/meta-data/public-ipv4` will be used | diff --git a/docs/reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/use-existing-nodes.md b/docs/reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/use-existing-nodes.md index 8e09f4a4b88..a27ac9ac48c 100644 --- a/docs/reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/use-existing-nodes.md +++ b/docs/reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/use-existing-nodes.md @@ -9,7 +9,7 @@ description: To create a cluster with custom nodes, you’ll need to access serv When you create a custom cluster, Rancher can use RKE2/K3s to create a Kubernetes cluster in on-prem bare-metal servers, on-prem virtual machines, or in any node hosted by an infrastructure provider. -To use this option you'll need access to servers you intend to use in your Kubernetes cluster. Provision each server according to the [requirements](../../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md), which includes some hardware specifications and Docker. After you install Docker on each server, you willl also run the command provided in the Rancher UI on each server to turn each one into a Kubernetes node. +To use this option, you need access to the servers that will be part of your Kubernetes cluster. Provision each server according to the [requirements](../../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md). Then, run the command provided in the Rancher UI on each server to convert it into a Kubernetes node. This section describes how to set up a custom cluster. @@ -33,7 +33,15 @@ If you want to reuse a node from a previous custom cluster, [clean the node](../ Provision the host according to the [installation requirements](../../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md) and the [checklist for production-ready clusters.](../../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/checklist-for-production-ready-clusters/checklist-for-production-ready-clusters.md) -If you're using Amazon EC2 as your host and want to use the [dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) feature, there are additional [requirements](https://rancher.com/docs/rke//latest/en/config-options/dual-stack#requirements) when provisioning the host. +:::note IPv6-only cluster + +For an IPv6-only cluster, ensure that your operating system correctly configures the `/etc/hosts` file. + +``` +::1 localhost +``` + +::: ### 2. Create the Custom Cluster @@ -41,39 +49,43 @@ If you're using Amazon EC2 as your host and want to use the [dual-stack](https:/ 1. On the **Clusters** page, click **Create**. 1. Click **Custom**. 1. Enter a **Cluster Name**. -1. Use **Cluster Configuration** section to choose the version of Kubernetes, what network provider will be used and if you want to enable project network isolation. To see more cluster options, click on **Show advanced options**. +1. Use the **Cluster Configuration** section to set up the cluster. For more information, see [RKE2 Cluster Configuration Reference](../rke2-cluster-configuration.md) and [K3s Cluster Configuration Reference](../k3s-cluster-configuration.md). - :::note Using Windows nodes as Kubernetes workers? + :::note Windows nodes - - See [Enable the Windows Support Option](../../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/use-windows-clusters/use-windows-clusters.md). - - The only Network Provider available for clusters with Windows support is Flannel. + To learn more about using Windows nodes as Kubernetes workers, see [Launching Kubernetes on Windows Clusters](../../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/use-windows-clusters/use-windows-clusters.md). - ::: + ::: - :::note Dual-stack on Amazon EC2: +1. Click **Create**. - If you're using Amazon EC2 as your host and want to use the [dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) feature, there are additional [requirements](https://rancher.com/docs/rke//latest/en/config-options/dual-stack#requirements) when configuring RKE. +**Result:** The UI redirects to the **Registration** page, where you can generate the registration command for your nodes. - ::: +1. From **Node Role**, select the roles you want a cluster node to fill. You must provision at least one node for each role: etcd, worker, and control plane. A custom cluster requires all three roles to finish provisioning. For more information on roles, see [Roles for Nodes in Kubernetes Clusters](../../../kubernetes-concepts.md#roles-for-nodes-in-kubernetes-clusters). -6. Click **Next**. + :::note Bare-Metal Server -4. Use **Member Roles** to configure user authorization for the cluster. Click **Add Member** to add users that can access the cluster. Use the **Role** drop-down to set permissions for each user. + If you plan to dedicate bare-metal servers to each role, you must provision a bare-metal server for each role (i.e., provision multiple bare-metal servers). -7. From **Node Role**, choose the roles that you want filled by a cluster node. You must provision at least one node for each role: `etcd`, `worker`, and `control plane`. All three roles are required for a custom cluster to finish provisioning. For more information on roles, see [this section.](../../../kubernetes-concepts.md#roles-for-nodes-in-kubernetes-clusters) + :::note -:::note +1. **Optional**: Click **Show Advanced** to configure additional settings such as specifying the IP address(es), overriding the node hostname, or adding [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) or [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) to the node -- Using Windows nodes as Kubernetes workers? See [this section](../../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/use-windows-clusters/use-windows-clusters.md). -- Bare-Metal Server Reminder: If you plan on dedicating bare-metal servers to each role, you must provision a bare-metal server for each role (i.e. provision multiple bare-metal servers). + :::note -::: + The **Node Public IP** and **Node Private IP** fields can accept either a single address or a comma-separated list of addresses (for example: `10.0.0.5,2001:db8::1`). -8. **Optional**: Click **[Show advanced options](rancher-agent-options.md)** to specify IP address(es) to use when registering the node, override the hostname of the node, or to add [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) or [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) to the node. + ::: -9. Copy the command displayed on screen to your clipboard. + :::note Ipv6-only or Dual-stack Cluster -10. Log in to your Linux host using your preferred shell, such as PuTTy or a remote Terminal connection. Run the command copied to your clipboard. + In both IPv6-only and dual-stack clusters, you should specify the node’s **IPv6 address** as the **Node Private IP**. + + ::: + +1. Copy the command displayed on screen to your clipboard. + +1. Log in to your Linux host using your preferred shell, such as PuTTy or a remote Terminal connection. Run the command copied to your clipboard. :::note @@ -81,11 +93,9 @@ Repeat steps 7-10 if you want to dedicate specific hosts to specific node roles. ::: -11. When you finish running the command(s) on your Linux host(s), click **Done**. - **Result:** -Your cluster is created and assigned a state of **Provisioning**. Rancher is standing up your cluster. +The cluster is created and transitions to the **Updating** state while Rancher initializes and provisions cluster components. You can access your cluster after its state is updated to **Active**. diff --git a/docs/reference-guides/dual-stack.md b/docs/reference-guides/dual-stack.md new file mode 100644 index 00000000000..26914f529af --- /dev/null +++ b/docs/reference-guides/dual-stack.md @@ -0,0 +1,122 @@ +--- +title: IPv4/IPv6 Dual-stack +--- + + + + + +Kubernetes supports IPv4-only, IPv6-only, and dual-stack networking configurations. +For more details, refer to the official [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). + +## Installing Rancher on IPv6-Only or Dual-Stack Clusters + +Rancher can run on clusters using: + +- IPv4-only +- IPv6-only +- Dual-stack (IPv4 + IPv6) + +When you install Rancher on an **IPv6-only cluster**, it can communicate externally **only over IPv6**. This means it can provision: + +- IPv6-only clusters +- Dual-stack clusters + _(IPv4-only downstream clusters are not possible in this case)_ + +When you install Rancher on a **dual-stack cluster**, it can communicate over both IPv4 and IPv6, and can therefore provision: + +- IPv4-only clusters +- IPv6-only clusters +- Dual-stack clusters + +For installation steps, see the guide: **[Installing and Upgrading Rancher](../getting-started/installation-and-upgrade/installation-and-upgrade.md)**. + +### Requirement for the Rancher Server URL + +When provisioning IPv6-only downstream clusters, the **Rancher Server URL must be reachable over IPv6** because downstream nodes connect back to the Rancher server using IPv6. + +## Provisioning IPv6-Only or Dual-Stack Clusters + +You can provision RKE2 and K3s **Node driver** (machine pools) or **Custom cluster** (existing hosts) clusters using IPv4-only, IPv6-only, or dual-stack networking. + +### Network Configuration + +To enable IPv6-only or dual-stack networking, you must configure: + +- Cluster CIDR +- Service CIDR +- Stack Preference + +Configuration references: + +- [K3s Cluster Configuration Reference](cluster-configuration/rancher-server-configuration/k3s-cluster-configuration.md) +- [RKE2 Cluster Configuration Reference](cluster-configuration/rancher-server-configuration/rke2-cluster-configuration.md) + +### Support for Windows + +Kubernetes on Windows: + +| Feature | Support Status | +|---------------------|-------------------------------| +| IPv6-only clusters | Not supported | +| Dual-stack clusters | Supported | +| Services | Limited to a single IP family | + +For more information, see the [Kubernetes Documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#windows-support). + +K3s does **not** support Windows ([FAQ](https://docs.k3s.io/faq#does-k3s-support-windows)) + +RKE2 supports Windows, but requires using either `Calico` or `Flannel` as the CNI. +Note that Windows installations of RKE2 do not support dual-stack clusters using BGP. +For more details, see [RKE2 Network Options](https://docs.rke2.io/networking/basic_network_options). + + +### Provisioning Node Driver Clusters + +Rancher currently supports assigning IPv6 addresses in **node driver** clusters with: + +- [Amazon EC2](../how-to-guides/new-user-guides/launch-kubernetes-with-rancher/use-new-nodes-in-an-infra-provider/create-an-amazon-ec2-cluster.md) +- [DigitalOcean](../how-to-guides/new-user-guides/launch-kubernetes-with-rancher/use-new-nodes-in-an-infra-provider/create-a-digitalocean-cluster.md) + +Support for additional providers will be introduced in future releases. + +:::note DigitalOcean Limitation + +Creating an **IPv6-only cluster** using the DigitalOcean node driver is currently **not supported**. +For more details, please see [rancher/rancher#52523](https://github.com/rancher/rancher/issues/52523#issuecomment-3457803572). + +::: + +#### Infrastructure Requirements + +Cluster nodes must meet the requirements listed in the [Node Requirements for Rancher Managed Clusters](../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md). + +Machine pool configuration guides: + +- [Amazon EC2 Configuration](cluster-configuration/downstream-cluster-configuration/machine-configuration/amazon-ec2.md) +- [DigitalOcean Configuration](cluster-configuration/downstream-cluster-configuration/machine-configuration/digitalocean.md) + +### Provisioning Custom Clusters + +To provision on your own nodes, follow the instructions in [Provision Kubernetes on Existing Nodes](cluster-configuration/rancher-server-configuration/use-existing-nodes/use-existing-nodes.md). + +:::note + +- **Node Public IP** and **Node Private IP** fields accept IPv4, IPv6, or both (comma-separated). + > Example: `10.0.0.5,2001:db8::1` +- In **IPv6-only** and **dual-stack** clusters, specify the node’s **IPv6 address** as the **Private IP**. + +::: + +#### Infrastructure Requirements + +Infrastructure requirements are the same as above for node-driver clusters. + +## Other Limitations + +### GitHub.com + +GitHub.com does **not** support IPv6. As a result: + +- Any application repositories ( `ClusterRepo.catalog.cattle.io/v1` CR) hosted on GitHub.com will **not be reachable** from IPv6-only clusters. +- Similarly, any **non-builtin node drivers** hosted on GitHub.com will also **not be accessible** in IPv6-only environments. diff --git a/docs/reference-guides/rancher-webhook.md b/docs/reference-guides/rancher-webhook.md index b0707f39aa7..c318999bae0 100644 --- a/docs/reference-guides/rancher-webhook.md +++ b/docs/reference-guides/rancher-webhook.md @@ -20,10 +20,7 @@ Each Rancher version is designed to be compatible with a single version of the w | Rancher Version | Webhook Version | Availability in Prime | Availability in Community | |-----------------|-----------------|-----------------------|---------------------------| -| v2.12.3 | v0.8.3 | ✓ | ✓ | -| v2.12.2 | v0.8.2 | ✓ | ✓ | -| v2.12.1 | v0.8.1 | ✓ | ✓ | -| v2.12.0 | v0.8.0 | ✗ | ✓ | +| v2.13.0 | v0.9.0 | ✗ | ✓ | ## Why Do We Need It? diff --git a/docusaurus.config.js b/docusaurus.config.js index 93764188d69..7e04dff858e 100644 --- a/docusaurus.config.js +++ b/docusaurus.config.js @@ -184,12 +184,12 @@ module.exports = { current: { label: "Latest", }, - '2.13': { - label: 'v2.13 (Preview)', - path: 'v2.13', - banner: 'unreleased' + "2.13": { + label: "v2.13", + path: "v2.13", + banner: 'none' }, - '2.12': { + "2.12": { label: "v2.12", path: "v2.12", banner: "none" @@ -256,6 +256,11 @@ module.exports = { { // Plugin Options for loading OpenAPI files specs: [ + { + id: "rancher-api-v2-13", + spec: "openapi/swagger-v2.13.json", + // route: '/api/', + }, { id: "rancher-api-v2-12", spec: "openapi/swagger-v2.12.json", diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/api/api-reference.mdx b/i18n/zh/docusaurus-plugin-content-docs/current/api/api-reference.mdx index 0ac99852235..c7ebadc12de 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/api/api-reference.mdx +++ b/i18n/zh/docusaurus-plugin-content-docs/current/api/api-reference.mdx @@ -14,4 +14,4 @@ title: API 参考 import ApiDocMdx from '@theme/ApiDocMdx'; - + diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/api/api-tokens.md b/i18n/zh/docusaurus-plugin-content-docs/current/api/api-tokens.md index cc0d08cbfb1..1da09e1ece1 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/api/api-tokens.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/api/api-tokens.md @@ -63,6 +63,7 @@ title: API 令牌 | 设置 | 描述 | | ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | [`auth-user-session-ttl-minutes`](#auth-user-session-ttl-minutes) | 用户认证会话令牌的 TTL(单位:分钟)。 | +| [`auth-user-session-idle-ttl-minutes`](#auth-user-session-idle-ttl-minutes) | TTL in minutes on a user auth session token, without user activity. | | [`kubeconfig-default-token-TTL-minutes`](#kubeconfig-default-token-ttl-minutes) | 默认 TTL,应用于所有 kubeconfig 令牌(除了[由 Rancher CLI 生成的令牌](#在生成的-kubeconfig-中禁用令牌))。**此设置从 2.6.6 版本开始引入。** | | [`kubeconfig-token-ttl-minutes`](#kubeconfig-token-ttl-minutes) | 在 CLI 中生成的令牌 TTL。**自 2.6.6 起已弃用,并将在 2.8.0 中删除**。请知悉,`kubeconfig-default-token-TTL-minutes` 将用于所有 kubeconfig 令牌。 | | [`auth-token-max-ttl-minutes`](#auth-token-max-ttl-minutes) | 除了由 [`auth-user-session-ttl-minutes`](#auth-user-session-ttl-minutes) 控制的令牌外,所有令牌的最大 TTL。 | @@ -71,6 +72,11 @@ title: API 令牌 ### auth-user-session-ttl-minutes 存活时间(TTL)(单位:分钟),用于确定用户身份验证会话令牌的到期时间。过期后,用户将需要登录并获取新令牌。此设置不受 [`auth-token-max-ttl-minutes`](#auth-token-max-ttl-minutes) 的影响。会话令牌是在用户登录 Rancher 时创建的。 +### auth-user-session-idle-ttl-minutes + +Time to live (TTL) without user activity for login sessions tokens, in minutes. +By default, [`auth-user-session-idle-ttl-minutes`](#auth-user-session-idle-ttl-minutes) is set to the same value as [`auth-user-session-ttl-minutes`](#auth-user-session-ttl-minutes) (for backward compatibility). It must never exceed the value of `auth-user-session-ttl-minutes`. + ### kubeconfig-default-token-TTL-minutes 存活时间(TTL)(单位:分钟),用于确定 kubeconfig 令牌的到期时间。令牌过期后,API 将拒绝令牌。此设置的值不能大于 [`auth-token-max-ttl-minutes`](#auth-token-max-ttl-minutes) 的值。此设置适用于在请求的 kubeconfig 文件中生成的令牌,不包括[由 Rancher CLI 生成的](#在生成的-kubeconfig-中禁用令牌)令牌。 **此设置从 2.6.6 版本开始引入**。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/faq/deprecated-features.md b/i18n/zh/docusaurus-plugin-content-docs/current/faq/deprecated-features.md index 945ac129586..6bf9555cfa8 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/faq/deprecated-features.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/faq/deprecated-features.md @@ -16,10 +16,7 @@ Rancher 将在 GitHub 上发布的 Rancher 的[发版说明](https://github.com/ | Patch 版本 | 发布时间 | | ----------------------------------------------------------------- | ------------------ | -| [2.12.3](https://github.com/rancher/rancher/releases/tag/v2.12.3) | 2025 年 10 月 23 日 | -| [2.12.2](https://github.com/rancher/rancher/releases/tag/v2.12.2) | 2025 年 9 月 25 日 | -| [2.12.1](https://github.com/rancher/rancher/releases/tag/v2.12.1) | 2025 年 8 月 28 日 | -| [2.12.0](https://github.com/rancher/rancher/releases/tag/v2.12.0) | 2025 年 7 月 30 日 | +| [2.13.0](https://github.com/rancher/rancher/releases/tag/v2.13.0) | 2025 年 11 月 25 日 | ## 当一个功能被标记为弃用我可以得到什么样的预期? diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md b/i18n/zh/docusaurus-plugin-content-docs/current/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md index 0b709e5f1c7..6c1e7ac6b9e 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md @@ -14,11 +14,8 @@ title: 安装 Adapter ::: | Rancher 版本 | Adapter 版本 | -|-----------------|:----------------:| -| v2.12.3 | 107.0.0+up7.0.0 | -| v2.12.2 | 107.0.0+up7.0.0 | -| v2.12.1 | 107.0.0+up7.0.0 | -| v2.12.0 | 107.0.0+up7.0.0 | +|-----------------|------------------| +| v2.13.0 | 108.0.0+up8.0.0 | ## 1. 获取对 Local 集群的访问权限 diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-webhook.md b/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-webhook.md index bb5b13b4068..555bc2d9f73 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-webhook.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-webhook.md @@ -20,10 +20,7 @@ Rancher 将 Rancher-Webhook 作为单独的 deployment 和服务部署在 local | Rancher Version | Webhook Version | Availability in Prime | Availability in Community | |-----------------|-----------------|-----------------------|---------------------------| -| v2.12.3 | v0.8.3 | ✓ | ✓ | -| v2.12.2 | v0.8.2 | ✓ | ✓ | -| v2.12.1 | v0.8.1 | ✓ | ✓ | -| v2.12.0 | v0.8.0 | ✗ | ✓ | +| v2.13.0 | v0.9.0 | ✗ | ✓ | ## 为什么我们需要它? diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/api/api-reference.mdx b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/api/api-reference.mdx index 0ac99852235..c7ebadc12de 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/api/api-reference.mdx +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/api/api-reference.mdx @@ -14,4 +14,4 @@ title: API 参考 import ApiDocMdx from '@theme/ApiDocMdx'; - + diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/api/api-tokens.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/api/api-tokens.md index cc0d08cbfb1..1da09e1ece1 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/api/api-tokens.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/api/api-tokens.md @@ -63,6 +63,7 @@ title: API 令牌 | 设置 | 描述 | | ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | [`auth-user-session-ttl-minutes`](#auth-user-session-ttl-minutes) | 用户认证会话令牌的 TTL(单位:分钟)。 | +| [`auth-user-session-idle-ttl-minutes`](#auth-user-session-idle-ttl-minutes) | TTL in minutes on a user auth session token, without user activity. | | [`kubeconfig-default-token-TTL-minutes`](#kubeconfig-default-token-ttl-minutes) | 默认 TTL,应用于所有 kubeconfig 令牌(除了[由 Rancher CLI 生成的令牌](#在生成的-kubeconfig-中禁用令牌))。**此设置从 2.6.6 版本开始引入。** | | [`kubeconfig-token-ttl-minutes`](#kubeconfig-token-ttl-minutes) | 在 CLI 中生成的令牌 TTL。**自 2.6.6 起已弃用,并将在 2.8.0 中删除**。请知悉,`kubeconfig-default-token-TTL-minutes` 将用于所有 kubeconfig 令牌。 | | [`auth-token-max-ttl-minutes`](#auth-token-max-ttl-minutes) | 除了由 [`auth-user-session-ttl-minutes`](#auth-user-session-ttl-minutes) 控制的令牌外,所有令牌的最大 TTL。 | @@ -71,6 +72,11 @@ title: API 令牌 ### auth-user-session-ttl-minutes 存活时间(TTL)(单位:分钟),用于确定用户身份验证会话令牌的到期时间。过期后,用户将需要登录并获取新令牌。此设置不受 [`auth-token-max-ttl-minutes`](#auth-token-max-ttl-minutes) 的影响。会话令牌是在用户登录 Rancher 时创建的。 +### auth-user-session-idle-ttl-minutes + +Time to live (TTL) without user activity for login sessions tokens, in minutes. +By default, [`auth-user-session-idle-ttl-minutes`](#auth-user-session-idle-ttl-minutes) is set to the same value as [`auth-user-session-ttl-minutes`](#auth-user-session-ttl-minutes) (for backward compatibility). It must never exceed the value of `auth-user-session-ttl-minutes`. + ### kubeconfig-default-token-TTL-minutes 存活时间(TTL)(单位:分钟),用于确定 kubeconfig 令牌的到期时间。令牌过期后,API 将拒绝令牌。此设置的值不能大于 [`auth-token-max-ttl-minutes`](#auth-token-max-ttl-minutes) 的值。此设置适用于在请求的 kubeconfig 文件中生成的令牌,不包括[由 Rancher CLI 生成的](#在生成的-kubeconfig-中禁用令牌)令牌。 **此设置从 2.6.6 版本开始引入**。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/faq/deprecated-features.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/faq/deprecated-features.md index 945ac129586..6bf9555cfa8 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/faq/deprecated-features.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/faq/deprecated-features.md @@ -16,10 +16,7 @@ Rancher 将在 GitHub 上发布的 Rancher 的[发版说明](https://github.com/ | Patch 版本 | 发布时间 | | ----------------------------------------------------------------- | ------------------ | -| [2.12.3](https://github.com/rancher/rancher/releases/tag/v2.12.3) | 2025 年 10 月 23 日 | -| [2.12.2](https://github.com/rancher/rancher/releases/tag/v2.12.2) | 2025 年 9 月 25 日 | -| [2.12.1](https://github.com/rancher/rancher/releases/tag/v2.12.1) | 2025 年 8 月 28 日 | -| [2.12.0](https://github.com/rancher/rancher/releases/tag/v2.12.0) | 2025 年 7 月 30 日 | +| [2.13.0](https://github.com/rancher/rancher/releases/tag/v2.13.0) | 2025 年 11 月 25 日 | ## 当一个功能被标记为弃用我可以得到什么样的预期? diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md index 0b709e5f1c7..6c1e7ac6b9e 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md @@ -14,11 +14,8 @@ title: 安装 Adapter ::: | Rancher 版本 | Adapter 版本 | -|-----------------|:----------------:| -| v2.12.3 | 107.0.0+up7.0.0 | -| v2.12.2 | 107.0.0+up7.0.0 | -| v2.12.1 | 107.0.0+up7.0.0 | -| v2.12.0 | 107.0.0+up7.0.0 | +|-----------------|------------------| +| v2.13.0 | 108.0.0+up8.0.0 | ## 1. 获取对 Local 集群的访问权限 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-webhook.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-webhook.md index bb5b13b4068..555bc2d9f73 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-webhook.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-webhook.md @@ -20,10 +20,7 @@ Rancher 将 Rancher-Webhook 作为单独的 deployment 和服务部署在 local | Rancher Version | Webhook Version | Availability in Prime | Availability in Community | |-----------------|-----------------|-----------------------|---------------------------| -| v2.12.3 | v0.8.3 | ✓ | ✓ | -| v2.12.2 | v0.8.2 | ✓ | ✓ | -| v2.12.1 | v0.8.1 | ✓ | ✓ | -| v2.12.0 | v0.8.0 | ✗ | ✓ | +| v2.13.0 | v0.9.0 | ✗ | ✓ | ## 为什么我们需要它? diff --git a/openapi/swagger-v2.13.json b/openapi/swagger-v2.13.json new file mode 100644 index 00000000000..c1f0c86fb80 --- /dev/null +++ b/openapi/swagger-v2.13.json @@ -0,0 +1,9569 @@ +{ + "swagger": "2.0", + "info": { + "title": "Kubernetes", + "version": "1.34" + }, + "paths": { + "/apis/auditlog.cattle.io/v1/auditpolicies": { + "get": { + "description": "list objects of kind AuditPolicy", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "auditlogCattleIo_v1" + ], + "operationId": "listAuditlogCattleIoV1AuditPolicy", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.auditlog.v1.AuditPolicyList" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "list", + "x-kubernetes-group-version-kind": { + "group": "auditlog.cattle.io", + "kind": "AuditPolicy", + "version": "v1" + } + }, + "post": { + "description": "create an AuditPolicy", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "auditlogCattleIo_v1" + ], + "operationId": "createAuditlogCattleIoV1AuditPolicy", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.auditlog.v1.AuditPolicy" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.auditlog.v1.AuditPolicy" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.auditlog.v1.AuditPolicy" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.cattle.auditlog.v1.AuditPolicy" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "post", + "x-kubernetes-group-version-kind": { + "group": "auditlog.cattle.io", + "kind": "AuditPolicy", + "version": "v1" + } + }, + "delete": { + "description": "delete collection of AuditPolicy", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "auditlogCattleIo_v1" + ], + "operationId": "deleteAuditlogCattleIoV1CollectionAuditPolicy", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "deletecollection", + "x-kubernetes-group-version-kind": { + "group": "auditlog.cattle.io", + "kind": "AuditPolicy", + "version": "v1" + } + }, + "parameters": [ + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/auditlog.cattle.io/v1/auditpolicies/{name}": { + "get": { + "description": "read the specified AuditPolicy", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "auditlogCattleIo_v1" + ], + "operationId": "readAuditlogCattleIoV1AuditPolicy", + "parameters": [ + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.auditlog.v1.AuditPolicy" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "auditlog.cattle.io", + "kind": "AuditPolicy", + "version": "v1" + } + }, + "put": { + "description": "replace the specified AuditPolicy", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "auditlogCattleIo_v1" + ], + "operationId": "replaceAuditlogCattleIoV1AuditPolicy", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.auditlog.v1.AuditPolicy" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.auditlog.v1.AuditPolicy" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.auditlog.v1.AuditPolicy" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "auditlog.cattle.io", + "kind": "AuditPolicy", + "version": "v1" + } + }, + "delete": { + "description": "delete an AuditPolicy", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "auditlogCattleIo_v1" + ], + "operationId": "deleteAuditlogCattleIoV1AuditPolicy", + "parameters": [ + { + "$ref": "#/parameters/body-2Y1dVQaQ" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS" + }, + { + "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj" + }, + { + "$ref": "#/parameters/orphanDependents-uRB25kX5" + }, + { + "$ref": "#/parameters/propagationPolicy-6jk3prlO" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "delete", + "x-kubernetes-group-version-kind": { + "group": "auditlog.cattle.io", + "kind": "AuditPolicy", + "version": "v1" + } + }, + "patch": { + "description": "partially update the specified AuditPolicy", + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/apply-patch+yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "auditlogCattleIo_v1" + ], + "operationId": "patchAuditlogCattleIoV1AuditPolicy", + "parameters": [ + { + "$ref": "#/parameters/body-78PwaGsr" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-7c6nTn1T" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + }, + { + "$ref": "#/parameters/force-tOGGb0Yi" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.auditlog.v1.AuditPolicy" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "auditlog.cattle.io", + "kind": "AuditPolicy", + "version": "v1" + } + }, + "parameters": [ + { + "uniqueItems": true, + "type": "string", + "description": "name of the AuditPolicy", + "name": "name", + "in": "path", + "required": true + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/auditlog.cattle.io/v1/auditpolicies/{name}/status": { + "get": { + "description": "read status of the specified AuditPolicy", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "auditlogCattleIo_v1" + ], + "operationId": "readAuditlogCattleIoV1AuditPolicyStatus", + "parameters": [ + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.auditlog.v1.AuditPolicy" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "auditlog.cattle.io", + "kind": "AuditPolicy", + "version": "v1" + } + }, + "put": { + "description": "replace status of the specified AuditPolicy", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "auditlogCattleIo_v1" + ], + "operationId": "replaceAuditlogCattleIoV1AuditPolicyStatus", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.auditlog.v1.AuditPolicy" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.auditlog.v1.AuditPolicy" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.auditlog.v1.AuditPolicy" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "auditlog.cattle.io", + "kind": "AuditPolicy", + "version": "v1" + } + }, + "patch": { + "description": "partially update status of the specified AuditPolicy", + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/apply-patch+yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "auditlogCattleIo_v1" + ], + "operationId": "patchAuditlogCattleIoV1AuditPolicyStatus", + "parameters": [ + { + "$ref": "#/parameters/body-78PwaGsr" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-7c6nTn1T" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + }, + { + "$ref": "#/parameters/force-tOGGb0Yi" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.auditlog.v1.AuditPolicy" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "auditlog.cattle.io", + "kind": "AuditPolicy", + "version": "v1" + } + }, + "parameters": [ + { + "uniqueItems": true, + "type": "string", + "description": "name of the AuditPolicy", + "name": "name", + "in": "path", + "required": true + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/ext.cattle.io/v1/kubeconfigs": { + "get": { + "description": "list or watch objects of kind Kubeconfig", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml", + "application/json;stream=watch" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "listExtCattleIoV1Kubeconfig", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.KubeconfigList" + } + } + }, + "x-kubernetes-action": "list", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Kubeconfig", + "version": "v1" + } + }, + "post": { + "description": "create a Kubeconfig", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "createExtCattleIoV1Kubeconfig", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Kubeconfig" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Kubeconfig" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Kubeconfig" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Kubeconfig" + } + } + }, + "x-kubernetes-action": "post", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Kubeconfig", + "version": "v1" + } + }, + "delete": { + "description": "delete collection of Kubeconfig", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "deleteExtCattleIoV1CollectionKubeconfig", + "parameters": [ + { + "$ref": "#/parameters/body-2Y1dVQaQ" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS" + }, + { + "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/orphanDependents-uRB25kX5" + }, + { + "$ref": "#/parameters/propagationPolicy-6jk3prlO" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + } + }, + "x-kubernetes-action": "deletecollection", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Kubeconfig", + "version": "v1" + } + }, + "parameters": [ + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/ext.cattle.io/v1/kubeconfigs/{name}": { + "get": { + "description": "read the specified Kubeconfig", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "readExtCattleIoV1Kubeconfig", + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Kubeconfig" + } + } + }, + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Kubeconfig", + "version": "v1" + } + }, + "put": { + "description": "replace the specified Kubeconfig", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "replaceExtCattleIoV1Kubeconfig", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Kubeconfig" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Kubeconfig" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Kubeconfig" + } + } + }, + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Kubeconfig", + "version": "v1" + } + }, + "delete": { + "description": "delete a Kubeconfig", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "deleteExtCattleIoV1Kubeconfig", + "parameters": [ + { + "$ref": "#/parameters/body-2Y1dVQaQ" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS" + }, + { + "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj" + }, + { + "$ref": "#/parameters/orphanDependents-uRB25kX5" + }, + { + "$ref": "#/parameters/propagationPolicy-6jk3prlO" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + } + }, + "x-kubernetes-action": "delete", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Kubeconfig", + "version": "v1" + } + }, + "patch": { + "description": "partially update the specified Kubeconfig", + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/strategic-merge-patch+json", + "application/apply-patch+yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "patchExtCattleIoV1Kubeconfig", + "parameters": [ + { + "$ref": "#/parameters/body-78PwaGsr" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-7c6nTn1T" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + }, + { + "$ref": "#/parameters/force-tOGGb0Yi" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Kubeconfig" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Kubeconfig" + } + } + }, + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Kubeconfig", + "version": "v1" + } + }, + "parameters": [ + { + "uniqueItems": true, + "type": "string", + "description": "name of the Kubeconfig", + "name": "name", + "in": "path", + "required": true + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/ext.cattle.io/v1/tokens": { + "get": { + "description": "list or watch objects of kind Token", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml", + "application/json;stream=watch" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "listExtCattleIoV1Token", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.TokenList" + } + } + }, + "x-kubernetes-action": "list", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Token", + "version": "v1" + } + }, + "post": { + "description": "create a Token", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "createExtCattleIoV1Token", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Token" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Token" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Token" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Token" + } + } + }, + "x-kubernetes-action": "post", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Token", + "version": "v1" + } + }, + "delete": { + "description": "delete collection of Token", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "deleteExtCattleIoV1CollectionToken", + "parameters": [ + { + "$ref": "#/parameters/body-2Y1dVQaQ" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS" + }, + { + "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/orphanDependents-uRB25kX5" + }, + { + "$ref": "#/parameters/propagationPolicy-6jk3prlO" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + } + }, + "x-kubernetes-action": "deletecollection", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Token", + "version": "v1" + } + }, + "parameters": [ + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/ext.cattle.io/v1/tokens/{name}": { + "get": { + "description": "read the specified Token", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "readExtCattleIoV1Token", + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Token" + } + } + }, + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Token", + "version": "v1" + } + }, + "put": { + "description": "replace the specified Token", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "replaceExtCattleIoV1Token", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Token" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Token" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Token" + } + } + }, + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Token", + "version": "v1" + } + }, + "delete": { + "description": "delete a Token", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "deleteExtCattleIoV1Token", + "parameters": [ + { + "$ref": "#/parameters/body-2Y1dVQaQ" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS" + }, + { + "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj" + }, + { + "$ref": "#/parameters/orphanDependents-uRB25kX5" + }, + { + "$ref": "#/parameters/propagationPolicy-6jk3prlO" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + } + }, + "x-kubernetes-action": "delete", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Token", + "version": "v1" + } + }, + "patch": { + "description": "partially update the specified Token", + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/strategic-merge-patch+json", + "application/apply-patch+yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "patchExtCattleIoV1Token", + "parameters": [ + { + "$ref": "#/parameters/body-78PwaGsr" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-7c6nTn1T" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + }, + { + "$ref": "#/parameters/force-tOGGb0Yi" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Token" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.ext.v1.Token" + } + } + }, + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Token", + "version": "v1" + } + }, + "parameters": [ + { + "uniqueItems": true, + "type": "string", + "description": "name of the Token", + "name": "name", + "in": "path", + "required": true + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/ext.cattle.io/v1/watch/kubeconfigs": { + "get": { + "description": "watch individual changes to a list of Kubeconfig. deprecated: use the 'watch' parameter with a list operation instead.", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml", + "application/json;stream=watch" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "watchExtCattleIoV1KubeconfigList", + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent" + } + } + }, + "x-kubernetes-action": "watchlist", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Kubeconfig", + "version": "v1" + } + }, + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ] + }, + "/apis/ext.cattle.io/v1/watch/kubeconfigs/{name}": { + "get": { + "description": "watch changes to an object of kind Kubeconfig. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml", + "application/json;stream=watch" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "watchExtCattleIoV1Kubeconfig", + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent" + } + } + }, + "x-kubernetes-action": "watch", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Kubeconfig", + "version": "v1" + } + }, + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "uniqueItems": true, + "type": "string", + "description": "name of the Kubeconfig", + "name": "name", + "in": "path", + "required": true + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ] + }, + "/apis/ext.cattle.io/v1/watch/tokens": { + "get": { + "description": "watch individual changes to a list of Token. deprecated: use the 'watch' parameter with a list operation instead.", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml", + "application/json;stream=watch" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "watchExtCattleIoV1TokenList", + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent" + } + } + }, + "x-kubernetes-action": "watchlist", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Token", + "version": "v1" + } + }, + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ] + }, + "/apis/ext.cattle.io/v1/watch/tokens/{name}": { + "get": { + "description": "watch changes to an object of kind Token. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml", + "application/json;stream=watch" + ], + "schemes": [ + "https" + ], + "tags": [ + "extCattleIo_v1" + ], + "operationId": "watchExtCattleIoV1Token", + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent" + } + } + }, + "x-kubernetes-action": "watch", + "x-kubernetes-group-version-kind": { + "group": "ext.cattle.io", + "kind": "Token", + "version": "v1" + } + }, + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "uniqueItems": true, + "type": "string", + "description": "name of the Token", + "name": "name", + "in": "path", + "required": true + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ] + }, + "/apis/management.cattle.io/v3/clusterroletemplatebindings": { + "get": { + "description": "list objects of kind ClusterRoleTemplateBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "listManagementCattleIoV3ClusterRoleTemplateBindingForAllNamespaces", + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ClusterRoleTemplateBindingList" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "list", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ClusterRoleTemplateBinding", + "version": "v3" + } + }, + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ] + }, + "/apis/management.cattle.io/v3/globalrolebindings": { + "get": { + "description": "list objects of kind GlobalRoleBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "listManagementCattleIoV3GlobalRoleBinding", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRoleBindingList" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "list", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRoleBinding", + "version": "v3" + } + }, + "post": { + "description": "create a GlobalRoleBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "createManagementCattleIoV3GlobalRoleBinding", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRoleBinding" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRoleBinding" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRoleBinding" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRoleBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "post", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRoleBinding", + "version": "v3" + } + }, + "delete": { + "description": "delete collection of GlobalRoleBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "deleteManagementCattleIoV3CollectionGlobalRoleBinding", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "deletecollection", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRoleBinding", + "version": "v3" + } + }, + "parameters": [ + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/management.cattle.io/v3/globalrolebindings/{name}": { + "get": { + "description": "read the specified GlobalRoleBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "readManagementCattleIoV3GlobalRoleBinding", + "parameters": [ + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRoleBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRoleBinding", + "version": "v3" + } + }, + "put": { + "description": "replace the specified GlobalRoleBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "replaceManagementCattleIoV3GlobalRoleBinding", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRoleBinding" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRoleBinding" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRoleBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRoleBinding", + "version": "v3" + } + }, + "delete": { + "description": "delete a GlobalRoleBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "deleteManagementCattleIoV3GlobalRoleBinding", + "parameters": [ + { + "$ref": "#/parameters/body-2Y1dVQaQ" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS" + }, + { + "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj" + }, + { + "$ref": "#/parameters/orphanDependents-uRB25kX5" + }, + { + "$ref": "#/parameters/propagationPolicy-6jk3prlO" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "delete", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRoleBinding", + "version": "v3" + } + }, + "patch": { + "description": "partially update the specified GlobalRoleBinding", + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/apply-patch+yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "patchManagementCattleIoV3GlobalRoleBinding", + "parameters": [ + { + "$ref": "#/parameters/body-78PwaGsr" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-7c6nTn1T" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + }, + { + "$ref": "#/parameters/force-tOGGb0Yi" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRoleBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRoleBinding", + "version": "v3" + } + }, + "parameters": [ + { + "uniqueItems": true, + "type": "string", + "description": "name of the GlobalRoleBinding", + "name": "name", + "in": "path", + "required": true + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/management.cattle.io/v3/globalrolebindings/{name}/status": { + "get": { + "description": "read status of the specified GlobalRoleBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "readManagementCattleIoV3GlobalRoleBindingStatus", + "parameters": [ + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRoleBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRoleBinding", + "version": "v3" + } + }, + "put": { + "description": "replace status of the specified GlobalRoleBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "replaceManagementCattleIoV3GlobalRoleBindingStatus", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRoleBinding" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRoleBinding" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRoleBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRoleBinding", + "version": "v3" + } + }, + "patch": { + "description": "partially update status of the specified GlobalRoleBinding", + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/apply-patch+yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "patchManagementCattleIoV3GlobalRoleBindingStatus", + "parameters": [ + { + "$ref": "#/parameters/body-78PwaGsr" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-7c6nTn1T" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + }, + { + "$ref": "#/parameters/force-tOGGb0Yi" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRoleBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRoleBinding", + "version": "v3" + } + }, + "parameters": [ + { + "uniqueItems": true, + "type": "string", + "description": "name of the GlobalRoleBinding", + "name": "name", + "in": "path", + "required": true + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/management.cattle.io/v3/globalroles": { + "get": { + "description": "list objects of kind GlobalRole", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "listManagementCattleIoV3GlobalRole", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRoleList" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "list", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRole", + "version": "v3" + } + }, + "post": { + "description": "create a GlobalRole", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "createManagementCattleIoV3GlobalRole", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRole" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRole" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRole" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRole" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "post", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRole", + "version": "v3" + } + }, + "delete": { + "description": "delete collection of GlobalRole", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "deleteManagementCattleIoV3CollectionGlobalRole", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "deletecollection", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRole", + "version": "v3" + } + }, + "parameters": [ + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/management.cattle.io/v3/globalroles/{name}": { + "get": { + "description": "read the specified GlobalRole", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "readManagementCattleIoV3GlobalRole", + "parameters": [ + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRole" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRole", + "version": "v3" + } + }, + "put": { + "description": "replace the specified GlobalRole", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "replaceManagementCattleIoV3GlobalRole", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRole" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRole" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRole" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRole", + "version": "v3" + } + }, + "delete": { + "description": "delete a GlobalRole", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "deleteManagementCattleIoV3GlobalRole", + "parameters": [ + { + "$ref": "#/parameters/body-2Y1dVQaQ" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS" + }, + { + "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj" + }, + { + "$ref": "#/parameters/orphanDependents-uRB25kX5" + }, + { + "$ref": "#/parameters/propagationPolicy-6jk3prlO" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "delete", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRole", + "version": "v3" + } + }, + "patch": { + "description": "partially update the specified GlobalRole", + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/apply-patch+yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "patchManagementCattleIoV3GlobalRole", + "parameters": [ + { + "$ref": "#/parameters/body-78PwaGsr" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-7c6nTn1T" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + }, + { + "$ref": "#/parameters/force-tOGGb0Yi" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRole" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRole", + "version": "v3" + } + }, + "parameters": [ + { + "uniqueItems": true, + "type": "string", + "description": "name of the GlobalRole", + "name": "name", + "in": "path", + "required": true + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/management.cattle.io/v3/globalroles/{name}/status": { + "get": { + "description": "read status of the specified GlobalRole", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "readManagementCattleIoV3GlobalRoleStatus", + "parameters": [ + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRole" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRole", + "version": "v3" + } + }, + "put": { + "description": "replace status of the specified GlobalRole", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "replaceManagementCattleIoV3GlobalRoleStatus", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRole" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRole" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRole" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRole", + "version": "v3" + } + }, + "patch": { + "description": "partially update status of the specified GlobalRole", + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/apply-patch+yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "patchManagementCattleIoV3GlobalRoleStatus", + "parameters": [ + { + "$ref": "#/parameters/body-78PwaGsr" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-7c6nTn1T" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + }, + { + "$ref": "#/parameters/force-tOGGb0Yi" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRole" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "GlobalRole", + "version": "v3" + } + }, + "parameters": [ + { + "uniqueItems": true, + "type": "string", + "description": "name of the GlobalRole", + "name": "name", + "in": "path", + "required": true + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/management.cattle.io/v3/namespaces/{namespace}/clusterroletemplatebindings": { + "get": { + "description": "list objects of kind ClusterRoleTemplateBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "listManagementCattleIoV3NamespacedClusterRoleTemplateBinding", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ClusterRoleTemplateBindingList" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "list", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ClusterRoleTemplateBinding", + "version": "v3" + } + }, + "post": { + "description": "create a ClusterRoleTemplateBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "createManagementCattleIoV3NamespacedClusterRoleTemplateBinding", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ClusterRoleTemplateBinding" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ClusterRoleTemplateBinding" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ClusterRoleTemplateBinding" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ClusterRoleTemplateBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "post", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ClusterRoleTemplateBinding", + "version": "v3" + } + }, + "delete": { + "description": "delete collection of ClusterRoleTemplateBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "deleteManagementCattleIoV3CollectionNamespacedClusterRoleTemplateBinding", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "deletecollection", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ClusterRoleTemplateBinding", + "version": "v3" + } + }, + "parameters": [ + { + "$ref": "#/parameters/namespace-vgWSWtn3" + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/management.cattle.io/v3/namespaces/{namespace}/clusterroletemplatebindings/{name}": { + "get": { + "description": "read the specified ClusterRoleTemplateBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "readManagementCattleIoV3NamespacedClusterRoleTemplateBinding", + "parameters": [ + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ClusterRoleTemplateBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ClusterRoleTemplateBinding", + "version": "v3" + } + }, + "put": { + "description": "replace the specified ClusterRoleTemplateBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "replaceManagementCattleIoV3NamespacedClusterRoleTemplateBinding", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ClusterRoleTemplateBinding" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ClusterRoleTemplateBinding" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ClusterRoleTemplateBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ClusterRoleTemplateBinding", + "version": "v3" + } + }, + "delete": { + "description": "delete a ClusterRoleTemplateBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "deleteManagementCattleIoV3NamespacedClusterRoleTemplateBinding", + "parameters": [ + { + "$ref": "#/parameters/body-2Y1dVQaQ" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS" + }, + { + "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj" + }, + { + "$ref": "#/parameters/orphanDependents-uRB25kX5" + }, + { + "$ref": "#/parameters/propagationPolicy-6jk3prlO" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "delete", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ClusterRoleTemplateBinding", + "version": "v3" + } + }, + "patch": { + "description": "partially update the specified ClusterRoleTemplateBinding", + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/apply-patch+yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "patchManagementCattleIoV3NamespacedClusterRoleTemplateBinding", + "parameters": [ + { + "$ref": "#/parameters/body-78PwaGsr" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-7c6nTn1T" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + }, + { + "$ref": "#/parameters/force-tOGGb0Yi" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ClusterRoleTemplateBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ClusterRoleTemplateBinding", + "version": "v3" + } + }, + "parameters": [ + { + "uniqueItems": true, + "type": "string", + "description": "name of the ClusterRoleTemplateBinding", + "name": "name", + "in": "path", + "required": true + }, + { + "$ref": "#/parameters/namespace-vgWSWtn3" + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/management.cattle.io/v3/namespaces/{namespace}/clusterroletemplatebindings/{name}/status": { + "get": { + "description": "read status of the specified ClusterRoleTemplateBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "readManagementCattleIoV3NamespacedClusterRoleTemplateBindingStatus", + "parameters": [ + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ClusterRoleTemplateBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ClusterRoleTemplateBinding", + "version": "v3" + } + }, + "put": { + "description": "replace status of the specified ClusterRoleTemplateBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "replaceManagementCattleIoV3NamespacedClusterRoleTemplateBindingStatus", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ClusterRoleTemplateBinding" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ClusterRoleTemplateBinding" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ClusterRoleTemplateBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ClusterRoleTemplateBinding", + "version": "v3" + } + }, + "patch": { + "description": "partially update status of the specified ClusterRoleTemplateBinding", + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/apply-patch+yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "patchManagementCattleIoV3NamespacedClusterRoleTemplateBindingStatus", + "parameters": [ + { + "$ref": "#/parameters/body-78PwaGsr" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-7c6nTn1T" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + }, + { + "$ref": "#/parameters/force-tOGGb0Yi" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ClusterRoleTemplateBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ClusterRoleTemplateBinding", + "version": "v3" + } + }, + "parameters": [ + { + "uniqueItems": true, + "type": "string", + "description": "name of the ClusterRoleTemplateBinding", + "name": "name", + "in": "path", + "required": true + }, + { + "$ref": "#/parameters/namespace-vgWSWtn3" + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/management.cattle.io/v3/namespaces/{namespace}/projectroletemplatebindings": { + "get": { + "description": "list objects of kind ProjectRoleTemplateBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "listManagementCattleIoV3NamespacedProjectRoleTemplateBinding", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ProjectRoleTemplateBindingList" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "list", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ProjectRoleTemplateBinding", + "version": "v3" + } + }, + "post": { + "description": "create a ProjectRoleTemplateBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "createManagementCattleIoV3NamespacedProjectRoleTemplateBinding", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ProjectRoleTemplateBinding" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ProjectRoleTemplateBinding" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ProjectRoleTemplateBinding" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ProjectRoleTemplateBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "post", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ProjectRoleTemplateBinding", + "version": "v3" + } + }, + "delete": { + "description": "delete collection of ProjectRoleTemplateBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "deleteManagementCattleIoV3CollectionNamespacedProjectRoleTemplateBinding", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "deletecollection", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ProjectRoleTemplateBinding", + "version": "v3" + } + }, + "parameters": [ + { + "$ref": "#/parameters/namespace-vgWSWtn3" + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/management.cattle.io/v3/namespaces/{namespace}/projectroletemplatebindings/{name}": { + "get": { + "description": "read the specified ProjectRoleTemplateBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "readManagementCattleIoV3NamespacedProjectRoleTemplateBinding", + "parameters": [ + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ProjectRoleTemplateBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ProjectRoleTemplateBinding", + "version": "v3" + } + }, + "put": { + "description": "replace the specified ProjectRoleTemplateBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "replaceManagementCattleIoV3NamespacedProjectRoleTemplateBinding", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ProjectRoleTemplateBinding" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ProjectRoleTemplateBinding" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ProjectRoleTemplateBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ProjectRoleTemplateBinding", + "version": "v3" + } + }, + "delete": { + "description": "delete a ProjectRoleTemplateBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "deleteManagementCattleIoV3NamespacedProjectRoleTemplateBinding", + "parameters": [ + { + "$ref": "#/parameters/body-2Y1dVQaQ" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS" + }, + { + "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj" + }, + { + "$ref": "#/parameters/orphanDependents-uRB25kX5" + }, + { + "$ref": "#/parameters/propagationPolicy-6jk3prlO" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "delete", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ProjectRoleTemplateBinding", + "version": "v3" + } + }, + "patch": { + "description": "partially update the specified ProjectRoleTemplateBinding", + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/apply-patch+yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "patchManagementCattleIoV3NamespacedProjectRoleTemplateBinding", + "parameters": [ + { + "$ref": "#/parameters/body-78PwaGsr" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-7c6nTn1T" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + }, + { + "$ref": "#/parameters/force-tOGGb0Yi" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ProjectRoleTemplateBinding" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ProjectRoleTemplateBinding", + "version": "v3" + } + }, + "parameters": [ + { + "uniqueItems": true, + "type": "string", + "description": "name of the ProjectRoleTemplateBinding", + "name": "name", + "in": "path", + "required": true + }, + { + "$ref": "#/parameters/namespace-vgWSWtn3" + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/management.cattle.io/v3/namespaces/{namespace}/projects": { + "get": { + "description": "list objects of kind Project", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "listManagementCattleIoV3NamespacedProject", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ProjectList" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "list", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "Project", + "version": "v3" + } + }, + "post": { + "description": "create a Project", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "createManagementCattleIoV3NamespacedProject", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.Project" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.Project" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.Project" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.Project" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "post", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "Project", + "version": "v3" + } + }, + "delete": { + "description": "delete collection of Project", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "deleteManagementCattleIoV3CollectionNamespacedProject", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "deletecollection", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "Project", + "version": "v3" + } + }, + "parameters": [ + { + "$ref": "#/parameters/namespace-vgWSWtn3" + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/management.cattle.io/v3/namespaces/{namespace}/projects/{name}": { + "get": { + "description": "read the specified Project", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "readManagementCattleIoV3NamespacedProject", + "parameters": [ + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.Project" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "Project", + "version": "v3" + } + }, + "put": { + "description": "replace the specified Project", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "replaceManagementCattleIoV3NamespacedProject", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.Project" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.Project" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.Project" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "Project", + "version": "v3" + } + }, + "delete": { + "description": "delete a Project", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "deleteManagementCattleIoV3NamespacedProject", + "parameters": [ + { + "$ref": "#/parameters/body-2Y1dVQaQ" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS" + }, + { + "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj" + }, + { + "$ref": "#/parameters/orphanDependents-uRB25kX5" + }, + { + "$ref": "#/parameters/propagationPolicy-6jk3prlO" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "delete", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "Project", + "version": "v3" + } + }, + "patch": { + "description": "partially update the specified Project", + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/apply-patch+yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "patchManagementCattleIoV3NamespacedProject", + "parameters": [ + { + "$ref": "#/parameters/body-78PwaGsr" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-7c6nTn1T" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + }, + { + "$ref": "#/parameters/force-tOGGb0Yi" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.Project" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "Project", + "version": "v3" + } + }, + "parameters": [ + { + "uniqueItems": true, + "type": "string", + "description": "name of the Project", + "name": "name", + "in": "path", + "required": true + }, + { + "$ref": "#/parameters/namespace-vgWSWtn3" + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/management.cattle.io/v3/projectroletemplatebindings": { + "get": { + "description": "list objects of kind ProjectRoleTemplateBinding", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "listManagementCattleIoV3ProjectRoleTemplateBindingForAllNamespaces", + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ProjectRoleTemplateBindingList" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "list", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "ProjectRoleTemplateBinding", + "version": "v3" + } + }, + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ] + }, + "/apis/management.cattle.io/v3/projects": { + "get": { + "description": "list objects of kind Project", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "listManagementCattleIoV3ProjectForAllNamespaces", + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.ProjectList" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "list", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "Project", + "version": "v3" + } + }, + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ] + }, + "/apis/management.cattle.io/v3/roletemplates": { + "get": { + "description": "list objects of kind RoleTemplate", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "listManagementCattleIoV3RoleTemplate", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.RoleTemplateList" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "list", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "RoleTemplate", + "version": "v3" + } + }, + "post": { + "description": "create a RoleTemplate", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "createManagementCattleIoV3RoleTemplate", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.RoleTemplate" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.RoleTemplate" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.RoleTemplate" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.RoleTemplate" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "post", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "RoleTemplate", + "version": "v3" + } + }, + "delete": { + "description": "delete collection of RoleTemplate", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "deleteManagementCattleIoV3CollectionRoleTemplate", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "deletecollection", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "RoleTemplate", + "version": "v3" + } + }, + "parameters": [ + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/management.cattle.io/v3/roletemplates/{name}": { + "get": { + "description": "read the specified RoleTemplate", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "readManagementCattleIoV3RoleTemplate", + "parameters": [ + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.RoleTemplate" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "RoleTemplate", + "version": "v3" + } + }, + "put": { + "description": "replace the specified RoleTemplate", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "replaceManagementCattleIoV3RoleTemplate", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.RoleTemplate" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.RoleTemplate" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.RoleTemplate" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "RoleTemplate", + "version": "v3" + } + }, + "delete": { + "description": "delete a RoleTemplate", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "deleteManagementCattleIoV3RoleTemplate", + "parameters": [ + { + "$ref": "#/parameters/body-2Y1dVQaQ" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS" + }, + { + "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj" + }, + { + "$ref": "#/parameters/orphanDependents-uRB25kX5" + }, + { + "$ref": "#/parameters/propagationPolicy-6jk3prlO" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "delete", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "RoleTemplate", + "version": "v3" + } + }, + "patch": { + "description": "partially update the specified RoleTemplate", + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/apply-patch+yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "patchManagementCattleIoV3RoleTemplate", + "parameters": [ + { + "$ref": "#/parameters/body-78PwaGsr" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-7c6nTn1T" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + }, + { + "$ref": "#/parameters/force-tOGGb0Yi" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.RoleTemplate" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "RoleTemplate", + "version": "v3" + } + }, + "parameters": [ + { + "uniqueItems": true, + "type": "string", + "description": "name of the RoleTemplate", + "name": "name", + "in": "path", + "required": true + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/management.cattle.io/v3/users": { + "get": { + "description": "list objects of kind User", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "listManagementCattleIoV3User", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.UserList" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "list", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "User", + "version": "v3" + } + }, + "post": { + "description": "create an User", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "createManagementCattleIoV3User", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.User" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.User" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.User" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.User" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "post", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "User", + "version": "v3" + } + }, + "delete": { + "description": "delete collection of User", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "deleteManagementCattleIoV3CollectionUser", + "parameters": [ + { + "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J" + }, + { + "$ref": "#/parameters/continue-QfD61s0i" + }, + { + "$ref": "#/parameters/fieldSelector-xIcQKXFG" + }, + { + "$ref": "#/parameters/labelSelector-5Zw57w4C" + }, + { + "$ref": "#/parameters/limit-1NfNmdNH" + }, + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + }, + { + "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC" + }, + { + "$ref": "#/parameters/sendInitialEvents-rLXlEK_k" + }, + { + "$ref": "#/parameters/timeoutSeconds-yvYezaOC" + }, + { + "$ref": "#/parameters/watch-XNNPZGbK" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "deletecollection", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "User", + "version": "v3" + } + }, + "parameters": [ + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + }, + "/apis/management.cattle.io/v3/users/{name}": { + "get": { + "description": "read the specified User", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "readManagementCattleIoV3User", + "parameters": [ + { + "$ref": "#/parameters/resourceVersion-5WAnf1kx" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.User" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "User", + "version": "v3" + } + }, + "put": { + "description": "replace the specified User", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "replaceManagementCattleIoV3User", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.User" + } + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-Qy4HdaTW" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.User" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.User" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "User", + "version": "v3" + } + }, + "delete": { + "description": "delete an User", + "consumes": [ + "application/json", + "application/yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "deleteManagementCattleIoV3User", + "parameters": [ + { + "$ref": "#/parameters/body-2Y1dVQaQ" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS" + }, + { + "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj" + }, + { + "$ref": "#/parameters/orphanDependents-uRB25kX5" + }, + { + "$ref": "#/parameters/propagationPolicy-6jk3prlO" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "delete", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "User", + "version": "v3" + } + }, + "patch": { + "description": "partially update the specified User", + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/apply-patch+yaml" + ], + "produces": [ + "application/json", + "application/yaml" + ], + "schemes": [ + "https" + ], + "tags": [ + "managementCattleIo_v3" + ], + "operationId": "patchManagementCattleIoV3User", + "parameters": [ + { + "$ref": "#/parameters/body-78PwaGsr" + }, + { + "uniqueItems": true, + "type": "string", + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "name": "dryRun", + "in": "query" + }, + { + "$ref": "#/parameters/fieldManager-7c6nTn1T" + }, + { + "uniqueItems": true, + "type": "string", + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "name": "fieldValidation", + "in": "query" + }, + { + "$ref": "#/parameters/force-tOGGb0Yi" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.cattle.management.v3.User" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "management.cattle.io", + "kind": "User", + "version": "v3" + } + }, + "parameters": [ + { + "uniqueItems": true, + "type": "string", + "description": "name of the User", + "name": "name", + "in": "path", + "required": true + }, + { + "$ref": "#/parameters/pretty-tJGM1-ng" + } + ] + } + }, + "definitions": { + "io.cattle.auditlog.v1.AuditPolicy": { + "type": "object", + "required": [ + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "type": "object", + "required": [ + "enabled" + ], + "properties": { + "additionalRedactions": { + "description": "AdditionalRedactions details additional informatino to be redacted. If there are any Filers defined in the same\npolicy, these Redactions will only be applied to logs that are Allowed by those filters. If there are no\nFilters, the redactions will be applied to all logs.", + "type": "array", + "items": { + "type": "object", + "properties": { + "headers": { + "type": "array", + "items": { + "type": "string" + } + }, + "paths": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + }, + "enabled": { + "type": "boolean" + }, + "filters": { + "description": "Filters described what logs are explicitly allowed and denied. Leave empty if all logs should be allowed. The\nAllow action has higher precedence than Deny. So if there are multiple filters that match a log and at least one\nAllow, the log will be allowed.", + "type": "array", + "items": { + "description": "Filter provides values used to filter out audit logs.", + "type": "object", + "properties": { + "action": { + "description": "Action defines what happens", + "type": "string" + }, + "requestURI": { + "description": "RequestURI is a regular expression used to match against the url of the log request. For example, the Filter:\n\nFilter {\n Action: Allow.\n REquestURI: \"/foo/.*\"\n}\n\nwould allow logs sent to \"/foo/some/endpoint\" but not \"/foo\" or \"/foobar\".", + "type": "string" + } + } + } + }, + "verbosity": { + "description": "Verbosity defines how much data to collect from each log. The end verbosity for a log is calculated as a merge\nof each policy that Allows a log (including plicies with no Filters). For example, take the two policie specs\nbelow:\n\nAuditPolicySpec {\n Enabled: True,\n Verbosity: LogVerbosity {\n Request: Verbosity {\n Body: True,\n },\n },\n}\n\nAuditPolicySpec {\n Enabled: True,\n Filters: []Filters{\n {\n Action: \"allow\",\n RequestURI: \"/foo\"\n },\n },\n Verbosity: LogVerbosity {\n Response: Verbosity {\n Body: True,\n },\n },\n}\n\nA request to the \"/foo\" endpoint will log both the request and response bodies, but a request to \"/bar\" will\nonly log the request body.", + "type": "object", + "required": [ + "level" + ], + "properties": { + "level": { + "description": "Level is carried over from the previous implementation of audit logging, and provides a shorthand for defining\nLogVerbosities. When Level is not LevelNull, Request and Reponse are ignored.", + "type": "integer" + }, + "request": { + "type": "object", + "properties": { + "body": { + "type": "boolean" + }, + "headers": { + "type": "boolean" + } + } + }, + "response": { + "type": "object", + "properties": { + "body": { + "type": "boolean" + }, + "headers": { + "type": "boolean" + } + } + } + } + } + } + }, + "status": { + "type": "object", + "properties": { + "conditions": { + "type": "array", + "items": { + "description": "Condition contains details for one aspect of the current state of this API Resource.", + "type": "object", + "required": [ + "lastTransitionTime", + "message", + "reason", + "status", + "type" + ], + "properties": { + "lastTransitionTime": { + "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + "type": "string", + "format": "date-time" + }, + "message": { + "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", + "type": "string", + "maxLength": 32768 + }, + "observedGeneration": { + "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", + "type": "integer", + "format": "int64" + }, + "reason": { + "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", + "type": "string", + "maxLength": 1024, + "minLength": 1, + "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + }, + "status": { + "description": "status of the condition, one of True, False, Unknown.", + "type": "string", + "enum": [ + "True", + "False", + "Unknown" + ] + }, + "type": { + "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", + "type": "string", + "maxLength": 316, + "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + } + } + } + } + } + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "auditlog.cattle.io", + "kind": "AuditPolicy", + "version": "v1" + } + ] + }, + "io.cattle.auditlog.v1.AuditPolicyList": { + "description": "AuditPolicyList is a list of AuditPolicy", + "type": "object", + "required": [ + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "List of auditpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md", + "type": "array", + "items": { + "$ref": "#/definitions/io.cattle.auditlog.v1.AuditPolicy" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "auditlog.cattle.io", + "kind": "AuditPolicyList", + "version": "v1" + } + ] + }, + "io.cattle.ext.v1.Kubeconfig": { + "description": "Kubeconfig allows creating v1.Config kubeconfig files for interacting with Rancher and clusters managed by Rancher.", + "type": "object", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. Note: Name and GenerateName are not respected. A name is always generated with a predefined prefix.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "description": "Spec is the desired state of the Kubeconfig.", + "$ref": "#/definitions/io.cattle.ext.v1.KubeconfigSpec" + }, + "status": { + "description": "Status is the most recently observed status of the Kubeconfig.", + "$ref": "#/definitions/io.cattle.ext.v1.KubeconfigStatus" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "ext.cattle.io", + "kind": "Kubeconfig", + "version": "v1" + } + ] + }, + "io.cattle.ext.v1.KubeconfigList": { + "description": "KubeconfigList is a list of Kubeconfig resources", + "type": "object", + "required": [ + "metadata", + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "type": "array", + "items": { + "$ref": "#/definitions/io.cattle.ext.v1.Kubeconfig" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "ext.cattle.io", + "kind": "KubeconfigList", + "version": "v1" + } + ] + }, + "io.cattle.ext.v1.KubeconfigSpec": { + "description": "KubeconfigSpec defines the desired state of Kubeconfig.", + "type": "object", + "properties": { + "clusters": { + "description": "Clusters is a list of cluster names.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "set" + }, + "currentContext": { + "description": "CurrentContext is the cluster ID default context for which will be set as the current context. If omitted, the first cluster in the list is considered for setting the current context.", + "type": "string" + }, + "description": { + "description": "Description is a human readable description of the Kubeconfig.", + "type": "string" + }, + "ttl": { + "description": "TTL is the time-to-live of the kubeconfig tokens, in seconds.", + "type": "integer", + "format": "int64" + } + } + }, + "io.cattle.ext.v1.KubeconfigStatus": { + "description": "KubeconfigStatus defines the most recently observed status of the Kubeconfig.", + "type": "object", + "properties": { + "conditions": { + "description": "Conditions indicate state for particular aspects of the Kubeconfig.", + "type": "array", + "items": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge" + }, + "summary": { + "description": "Summary of the Kubeconfig status. Can be \"Complete\" or \"Error\".", + "type": "string" + }, + "tokens": { + "description": "Tokens is a list of Kubeconfig tokens.", + "type": "array", + "items": { + "type": "string" + } + }, + "value": { + "description": "Value contains the generated content of the kubeconfig.", + "type": "string" + } + } + }, + "io.cattle.ext.v1.Token": { + "description": "Token is used to authenticate requests to Rancher.", + "type": "object", + "required": [ + "spec", + "status" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata Note: Name and GenerateName are not respected. A name is always generated with a predefined prefix.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "description": "Spec is the desired state of the Token.", + "$ref": "#/definitions/io.cattle.ext.v1.TokenSpec" + }, + "status": { + "description": "Status is the most recently observed status of the Token.", + "$ref": "#/definitions/io.cattle.ext.v1.TokenStatus" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "ext.cattle.io", + "kind": "Token", + "version": "v1" + } + ] + }, + "io.cattle.ext.v1.TokenList": { + "description": "TokenList is a list of Token resources", + "type": "object", + "required": [ + "metadata", + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "type": "array", + "items": { + "$ref": "#/definitions/io.cattle.ext.v1.Token" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "ext.cattle.io", + "kind": "TokenList", + "version": "v1" + } + ] + }, + "io.cattle.ext.v1.TokenPrincipal": { + "description": "TokenPrincipal contains the data about the user principal owning the token.", + "type": "object", + "required": [ + "name" + ], + "properties": { + "displayName": { + "description": "DisplayName is the human readable name/description of the principal.", + "type": "string" + }, + "extraInfo": { + "description": "ExtraInfo contains additional information about the principal.", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "loginName": { + "description": "LoginName is the account name of the principal in the managing auth provider.", + "type": "string" + }, + "me": { + "description": "Me is a virtual flag for use with the dashboard.", + "type": "boolean" + }, + "memberOf": { + "description": "MemberOf is a virtual flag for use with the dashboard.", + "type": "boolean" + }, + "name": { + "description": "Name is the name unique to the authentication provider.", + "type": "string" + }, + "principalType": { + "description": "PrincipalType is the kind of principal. Legal values are \"user\" and \"group\".", + "type": "string" + }, + "profilePicture": { + "description": "ProfilePicture is an url to a picture to use when displaying the principal.", + "type": "string" + }, + "profileURL": { + "description": "ProfileURL is not used by the system", + "type": "string" + }, + "provider": { + "description": "Provider is the name of the auth provider managing the principal", + "type": "string" + } + } + }, + "io.cattle.ext.v1.TokenSpec": { + "description": "TokenSpec defines the desired state of the Token.", + "type": "object", + "required": [ + "userPrincipal" + ], + "properties": { + "clusterName": { + "description": "ClusterName holds the name of the cluster the token is scoped to, if any. An empty string indicates that the token is not scoped to a specific cluster.", + "type": "string" + }, + "description": { + "description": "Human readable free-form description of the token. For example, its purpose.", + "type": "string" + }, + "enabled": { + "description": "Enabled indicates an active token. The default (`null`) indicates an enabled token.", + "type": "boolean" + }, + "kind": { + "description": "Kind describes the nature of the token. The value \"session\" indicates a login/session token. Any other value, including the empty string, which is the default, stands for some kind of derived token.", + "type": "string" + }, + "ttl": { + "description": "TTL is the time-to-live of the token, in milliseconds. Setting a value \u003c 0 represents +infinity, i.e. a token which does not expire. The default is indicated by the value `0`. This default is provided by the `auth-token-max-ttl-minutes` setting. Note that this default is also the maximum specifiable TTL. A value \u003c= 0 there enables non-expiring tokens.", + "type": "integer", + "format": "int64" + }, + "userID": { + "description": "UserID is the kube resource id of the user owning the token. By default that is the user who owned the token making the request creating this token. Currently this default is enforced, i.e. using a different user is rejected as forbidden.", + "type": "string" + }, + "userPrincipal": { + "description": "UserPrincipal holds the information about the ext auth provider managed user (principal) owning the token.", + "$ref": "#/definitions/io.cattle.ext.v1.TokenPrincipal" + } + } + }, + "io.cattle.ext.v1.TokenStatus": { + "description": "TokenStatus defines the most recently observed status of the Token.", + "type": "object", + "required": [ + "current", + "expired", + "expiresAt", + "lastUpdateTime" + ], + "properties": { + "bearerToken": { + "description": "Fully formed bearer token that is ready to use in the Authorization header to authenticate to Rancher.", + "type": "string" + }, + "current": { + "description": "Current indicates whether the token was used to authenticate the current request.", + "type": "boolean" + }, + "expired": { + "description": "Expired indicates whether the token has exceeded its TTL.", + "type": "boolean" + }, + "expiresAt": { + "description": "ExpiresAt is the token's expiration timestamp or an empty string if the token doesn't expire.", + "type": "string" + }, + "hash": { + "description": "Hash is the hash of the Value.", + "type": "string" + }, + "lastActivitySeen": { + "description": "LastActivitySeen is the timestamp of the last time user activity (mouse movement, interaction, ...) was reported for the token.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + }, + "lastUpdateTime": { + "description": "LastUpdateTime is the timestamp of the last change to the token.", + "type": "string" + }, + "lastUsedAt": { + "description": "LastUsedAt is the timestamp of the last time the token was used to authenticate.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + }, + "value": { + "description": "Value is the access key. It is shown only on token creation and not saved.", + "type": "string" + } + } + }, + "io.cattle.management.v3.ClusterRoleTemplateBinding": { + "description": "ClusterRoleTemplateBinding is the object representing membership of a subject in a cluster with permissions\nspecified by a given role template.", + "type": "object", + "required": [ + "clusterName", + "roleTemplateName" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "clusterName": { + "description": "ClusterName is the metadata.name of the cluster to which a subject is added.\nMust match the namespace. Immutable.", + "type": "string" + }, + "groupName": { + "description": "GroupName is the name of the group subject added to the cluster. Immutable.", + "type": "string" + }, + "groupPrincipalName": { + "description": "GroupPrincipalName is the name of the group principal subject added to the cluster. Immutable.", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "roleTemplateName": { + "description": "RoleTemplateName is the name of the role template that defines permissions to perform actions on resources in the cluster. Immutable.", + "type": "string" + }, + "status": { + "description": "Status is the most recently observed status of the ClusterRoleTemplateBinding. BEWARE. This is read from and written to by __two__ controllers.", + "type": "object", + "properties": { + "lastUpdateTime": { + "description": "LastUpdateTime is a k8s timestamp of the last time the status was updated by any of the two controllers operating on it.", + "type": "string" + }, + "localConditions": { + "description": "LocalConditions is a slice of Condition, indicating the status of backing RBAC objects created in the local cluster.", + "type": "array", + "items": { + "description": "Condition contains details for one aspect of the current state of this API Resource.", + "type": "object", + "required": [ + "lastTransitionTime", + "message", + "reason", + "status", + "type" + ], + "properties": { + "lastTransitionTime": { + "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + "type": "string", + "format": "date-time" + }, + "message": { + "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", + "type": "string", + "maxLength": 32768 + }, + "observedGeneration": { + "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", + "type": "integer", + "format": "int64" + }, + "reason": { + "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", + "type": "string", + "maxLength": 1024, + "minLength": 1, + "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + }, + "status": { + "description": "status of the condition, one of True, False, Unknown.", + "type": "string", + "enum": [ + "True", + "False", + "Unknown" + ] + }, + "type": { + "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", + "type": "string", + "maxLength": 316, + "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + } + } + } + }, + "observedGenerationLocal": { + "description": "ObservedGenerationLocal is the most recent generation (metadata.generation in CRTB)\nobserved by the local controller operating on this status. Populated by the system.", + "type": "integer", + "format": "int64" + }, + "observedGenerationRemote": { + "description": "ObservedGenerationRemote is the most recent generation (metadata.generation in CRTB)\nobserved by the remote controller operating on this status. Populated by the system.", + "type": "integer", + "format": "int64" + }, + "remoteConditions": { + "description": "RemoteConditions is a slice of Condition, indicating the status of backing RBAC objects created in the downstream cluster.", + "type": "array", + "items": { + "description": "Condition contains details for one aspect of the current state of this API Resource.", + "type": "object", + "required": [ + "lastTransitionTime", + "message", + "reason", + "status", + "type" + ], + "properties": { + "lastTransitionTime": { + "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + "type": "string", + "format": "date-time" + }, + "message": { + "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", + "type": "string", + "maxLength": 32768 + }, + "observedGeneration": { + "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", + "type": "integer", + "format": "int64" + }, + "reason": { + "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", + "type": "string", + "maxLength": 1024, + "minLength": 1, + "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + }, + "status": { + "description": "status of the condition, one of True, False, Unknown.", + "type": "string", + "enum": [ + "True", + "False", + "Unknown" + ] + }, + "type": { + "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", + "type": "string", + "maxLength": 316, + "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + } + } + } + }, + "summary": { + "description": "Summary represents the summary of all resources. One of \"Complete\" or \"Error\".", + "type": "string" + }, + "summaryLocal": { + "description": "SummaryLocal represents the summary of the resources created in the local cluster. One of \"Complete\" or \"Error\".", + "type": "string" + }, + "summaryRemote": { + "description": "SummaryRemote represents the summary of the resources created in the downstream cluster. One of \"Complete\" or \"Error\".", + "type": "string" + } + } + }, + "userName": { + "description": "UserName is the name of the user subject added to the cluster. Immutable.", + "type": "string" + }, + "userPrincipalName": { + "description": "UserPrincipalName is the name of the user principal subject added to the cluster. Immutable.", + "type": "string" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "management.cattle.io", + "kind": "ClusterRoleTemplateBinding", + "version": "v3" + } + ] + }, + "io.cattle.management.v3.ClusterRoleTemplateBindingList": { + "description": "ClusterRoleTemplateBindingList is a list of ClusterRoleTemplateBinding", + "type": "object", + "required": [ + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "List of clusterroletemplatebindings. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md", + "type": "array", + "items": { + "$ref": "#/definitions/io.cattle.management.v3.ClusterRoleTemplateBinding" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "management.cattle.io", + "kind": "ClusterRoleTemplateBindingList", + "version": "v3" + } + ] + }, + "io.cattle.management.v3.GlobalRole": { + "description": "GlobalRole defines rules that can be applied to the local cluster and or every downstream cluster.", + "type": "object", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "builtin": { + "description": "Builtin specifies that this GlobalRole was created by Rancher if true. Immutable.", + "type": "boolean" + }, + "description": { + "description": "Description holds text that describes the resource.", + "type": "string" + }, + "displayName": { + "description": "DisplayName is the human-readable name displayed in the UI for this resource.", + "type": "string" + }, + "inheritedClusterRoles": { + "description": "InheritedClusterRoles are the names of RoleTemplates whose permissions are granted by this GlobalRole in every\ncluster besides the local cluster. To grant permissions in the local cluster, use the Rules field.", + "type": "array", + "items": { + "type": "string" + } + }, + "inheritedFleetWorkspacePermissions": { + "description": "InheritedFleetWorkspacePermissions are the permissions granted by this GlobalRole in every fleet workspace besides\nthe local one.", + "type": "object", + "properties": { + "resourceRules": { + "description": "ResourceRules rules granted in all backing namespaces for all fleet workspaces besides the local one.", + "type": "array", + "items": { + "description": "PolicyRule holds information that describes a policy rule, but does not contain information\nabout who the rule applies to or which namespace the rule applies to.", + "type": "object", + "required": [ + "verbs" + ], + "properties": { + "apiGroups": { + "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of\nthe enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "nonResourceURLs": { + "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path\nSince non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.\nRules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "verbs": { + "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + } + } + } + }, + "workspaceVerbs": { + "description": "WorkspaceVerbs verbs used to grant permissions to the cluster-wide fleetworkspace resources. ResourceNames for\nthis rule will contain all fleet workspace names except local.", + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "namespacedRules": { + "description": "NamespacedRules are the rules that are active in each namespace of this GlobalRole.\nThese are applied to the local cluster only.\n* has no special meaning in the keys - these keys are read as raw strings\nand must exactly match with one existing namespace.", + "type": "object", + "additionalProperties": { + "type": "array", + "items": { + "description": "PolicyRule holds information that describes a policy rule, but does not contain information\nabout who the rule applies to or which namespace the rule applies to.", + "type": "object", + "required": [ + "verbs" + ], + "properties": { + "apiGroups": { + "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of\nthe enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "nonResourceURLs": { + "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path\nSince non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.\nRules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "verbs": { + "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + } + } + } + } + }, + "newUserDefault": { + "description": "NewUserDefault specifies that all new users created should be bound to this GlobalRole if true.", + "type": "boolean" + }, + "rules": { + "description": "Rules holds a list of PolicyRules that are applied to the local cluster only.", + "type": "array", + "items": { + "description": "PolicyRule holds information that describes a policy rule, but does not contain information\nabout who the rule applies to or which namespace the rule applies to.", + "type": "object", + "required": [ + "verbs" + ], + "properties": { + "apiGroups": { + "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of\nthe enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "nonResourceURLs": { + "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path\nSince non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.\nRules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "verbs": { + "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + } + } + } + }, + "status": { + "description": "Status is the most recently observed status of the GlobalRole.", + "type": "object", + "properties": { + "conditions": { + "description": "Conditions is a slice of Condition, indicating the status of specific backing RBAC objects.\nThere is one condition per ClusterRole and Role managed by the GlobalRole.", + "type": "array", + "items": { + "description": "Condition contains details for one aspect of the current state of this API Resource.", + "type": "object", + "required": [ + "lastTransitionTime", + "message", + "reason", + "status", + "type" + ], + "properties": { + "lastTransitionTime": { + "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + "type": "string", + "format": "date-time" + }, + "message": { + "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", + "type": "string", + "maxLength": 32768 + }, + "observedGeneration": { + "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", + "type": "integer", + "format": "int64" + }, + "reason": { + "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", + "type": "string", + "maxLength": 1024, + "minLength": 1, + "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + }, + "status": { + "description": "status of the condition, one of True, False, Unknown.", + "type": "string", + "enum": [ + "True", + "False", + "Unknown" + ] + }, + "type": { + "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", + "type": "string", + "maxLength": 316, + "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + } + } + } + }, + "lastUpdateTime": { + "description": "LastUpdate is a k8s timestamp of the last time the status was updated.", + "type": "string" + }, + "observedGeneration": { + "description": "ObservedGeneration is the most recent generation (metadata.generation in GlobalRole CR)\nobserved by the controller. Populated by the system.", + "type": "integer", + "format": "int64" + }, + "summary": { + "description": "Summary is a string. One of \"Complete\", \"InProgress\" or \"Error\".", + "type": "string" + } + } + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "management.cattle.io", + "kind": "GlobalRole", + "version": "v3" + } + ] + }, + "io.cattle.management.v3.GlobalRoleBinding": { + "description": "GlobalRoleBinding binds a given subject user or group to a GlobalRole.", + "type": "object", + "required": [ + "globalRoleName" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "globalRoleName": { + "description": "GlobalRoleName is the name of the Global Role that the subject will be bound to. Immutable.", + "type": "string" + }, + "groupPrincipalName": { + "description": "GroupPrincipalName is the name of the group principal subject to be bound. Immutable.", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "status": { + "description": "Status is the most recently observed status of the GlobalRoleBinding. Note, that this is read from and written to by __two__ controllers.", + "type": "object", + "properties": { + "lastUpdateTime": { + "description": "LastUpdateTime is a k8s timestamp of the last time the status was updated by any of the two controllers operating on it.", + "type": "string" + }, + "localConditions": { + "description": "LocalConditions is a slice of Condition, indicating the status of backing RBAC objects created in the local cluster.", + "type": "array", + "items": { + "description": "Condition contains details for one aspect of the current state of this API Resource.", + "type": "object", + "required": [ + "lastTransitionTime", + "message", + "reason", + "status", + "type" + ], + "properties": { + "lastTransitionTime": { + "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + "type": "string", + "format": "date-time" + }, + "message": { + "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", + "type": "string", + "maxLength": 32768 + }, + "observedGeneration": { + "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", + "type": "integer", + "format": "int64" + }, + "reason": { + "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", + "type": "string", + "maxLength": 1024, + "minLength": 1, + "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + }, + "status": { + "description": "status of the condition, one of True, False, Unknown.", + "type": "string", + "enum": [ + "True", + "False", + "Unknown" + ] + }, + "type": { + "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", + "type": "string", + "maxLength": 316, + "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + } + } + } + }, + "observedGenerationLocal": { + "description": "ObservedGenerationLocal is the most recent generation (metadata.generation in GRB)\nobserved by the local controller operating on this status. Populated by the system.", + "type": "integer", + "format": "int64" + }, + "observedGenerationRemote": { + "description": "ObservedGenerationRemote is the most recent generation (metadata.generation in GRB)\nobserved by the remote controller operating on this status. Populated by the system.", + "type": "integer", + "format": "int64" + }, + "remoteConditions": { + "description": "RemoteConditions is a slice of Condition, indicating the status of backing RBAC objects created in the downstream cluster.", + "type": "array", + "items": { + "description": "Condition contains details for one aspect of the current state of this API Resource.", + "type": "object", + "required": [ + "lastTransitionTime", + "message", + "reason", + "status", + "type" + ], + "properties": { + "lastTransitionTime": { + "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + "type": "string", + "format": "date-time" + }, + "message": { + "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", + "type": "string", + "maxLength": 32768 + }, + "observedGeneration": { + "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", + "type": "integer", + "format": "int64" + }, + "reason": { + "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", + "type": "string", + "maxLength": 1024, + "minLength": 1, + "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" + }, + "status": { + "description": "status of the condition, one of True, False, Unknown.", + "type": "string", + "enum": [ + "True", + "False", + "Unknown" + ] + }, + "type": { + "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", + "type": "string", + "maxLength": 316, + "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" + } + } + } + }, + "summary": { + "description": "Summary represents the summary of all resources. One of \"Complete\" or \"Error\".", + "type": "string" + }, + "summaryLocal": { + "description": "SummaryLocal represents the summary of the resources created in the local cluster. One of \"Complete\" or \"Error\".", + "type": "string" + }, + "summaryRemote": { + "description": "SummaryRemote represents the summary of the resources created in the downstream cluster. One of \"Complete\" or \"Error\".", + "type": "string" + } + } + }, + "userName": { + "description": "UserName is the name of the user subject to be bound. Immutable.", + "type": "string" + }, + "userPrincipalName": { + "description": "UserPrincipalName is the name of the user principal subject to be bound. Immutable.", + "type": "string" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "management.cattle.io", + "kind": "GlobalRoleBinding", + "version": "v3" + } + ] + }, + "io.cattle.management.v3.GlobalRoleBindingList": { + "description": "GlobalRoleBindingList is a list of GlobalRoleBinding", + "type": "object", + "required": [ + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "List of globalrolebindings. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md", + "type": "array", + "items": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRoleBinding" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "management.cattle.io", + "kind": "GlobalRoleBindingList", + "version": "v3" + } + ] + }, + "io.cattle.management.v3.GlobalRoleList": { + "description": "GlobalRoleList is a list of GlobalRole", + "type": "object", + "required": [ + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "List of globalroles. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md", + "type": "array", + "items": { + "$ref": "#/definitions/io.cattle.management.v3.GlobalRole" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "management.cattle.io", + "kind": "GlobalRoleList", + "version": "v3" + } + ] + }, + "io.cattle.management.v3.Project": { + "description": "Project is a group of namespaces.\nProjects are used to create a multi-tenant environment within a Kubernetes cluster by managing namespace operations,\nsuch as role assignments or quotas, as a group.", + "type": "object", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "description": "Spec is the specification of the desired configuration for the project.", + "type": "object", + "required": [ + "clusterName", + "displayName" + ], + "properties": { + "clusterName": { + "description": "ClusterName is the name of the cluster the project belongs to. Immutable.", + "type": "string" + }, + "containerDefaultResourceLimit": { + "description": "ContainerDefaultResourceLimit is a specification for the default LimitRange for the namespace.\nSee https://kubernetes.io/docs/concepts/policy/limit-range/ for more details.", + "type": "object", + "properties": { + "limitsCpu": { + "description": "LimitsCPU is the CPU limits across all pods in a non-terminal state.", + "type": "string" + }, + "limitsMemory": { + "description": "LimitsMemory is the memory limits across all pods in a non-terminal state.", + "type": "string" + }, + "requestsCpu": { + "description": "RequestsCPU is the CPU requests limit across all pods in a non-terminal state.", + "type": "string" + }, + "requestsMemory": { + "description": "RequestsMemory is the memory requests limit across all pods in a non-terminal state.", + "type": "string" + } + } + }, + "description": { + "description": "Description is a human-readable description of the project.", + "type": "string" + }, + "displayName": { + "description": "DisplayName is the human-readable name for the project.", + "type": "string" + }, + "namespaceDefaultResourceQuota": { + "description": "NamespaceDefaultResourceQuota is a specification of the default ResourceQuota that a namespace will receive if none is provided.\nMust provide ResourceQuota if NamespaceDefaultResourceQuota is specified.\nSee https://kubernetes.io/docs/concepts/policy/resource-quotas/ for more details.", + "type": "object", + "properties": { + "limit": { + "description": "Limit is the default quota limits applied to new namespaces.", + "type": "object", + "properties": { + "configMaps": { + "description": "ConfigMaps is the total number of ReplicationControllers that can exist in the namespace.", + "type": "string" + }, + "limitsCpu": { + "description": "LimitsCPU is the CPU limits across all pods in a non-terminal state.", + "type": "string" + }, + "limitsMemory": { + "description": "LimitsMemory is the memory limits across all pods in a non-terminal state.", + "type": "string" + }, + "persistentVolumeClaims": { + "description": "PersistentVolumeClaims is the total number of PersistentVolumeClaims that can exist in the namespace.", + "type": "string" + }, + "pods": { + "description": "Pods is the total number of Pods in a non-terminal state that can exist in the namespace. A pod is in a terminal state if .status.phase in (Failed, Succeeded) is true.", + "type": "string" + }, + "replicationControllers": { + "description": "ReplicationControllers is total number of ReplicationControllers that can exist in the namespace.", + "type": "string" + }, + "requestsCpu": { + "description": "RequestsCPU is the CPU requests limit across all pods in a non-terminal state.", + "type": "string" + }, + "requestsMemory": { + "description": "RequestsMemory is the memory requests limit across all pods in a non-terminal state.", + "type": "string" + }, + "requestsStorage": { + "description": "RequestsStorage is the storage requests limit across all persistent volume claims.", + "type": "string" + }, + "secrets": { + "description": "Secrets is the total number of ReplicationControllers that can exist in the namespace.", + "type": "string" + }, + "services": { + "description": "Services is the total number of Services that can exist in the namespace.", + "type": "string" + }, + "servicesLoadBalancers": { + "description": "ServicesLoadBalancers is the total number of Services of type LoadBalancer that can exist in the namespace.", + "type": "string" + }, + "servicesNodePorts": { + "description": "ServiceNodePorts is the total number of Services of type NodePort that can exist in the namespace.", + "type": "string" + } + } + } + } + }, + "resourceQuota": { + "description": "ResourceQuota is a specification for the total amount of quota for standard resources that will be shared by all namespaces in the project.\nMust provide NamespaceDefaultResourceQuota if ResourceQuota is specified.\nSee https://kubernetes.io/docs/concepts/policy/resource-quotas/ for more details.", + "type": "object", + "properties": { + "limit": { + "description": "Limit is the total allowable quota limits shared by all namespaces in the project.", + "type": "object", + "properties": { + "configMaps": { + "description": "ConfigMaps is the total number of ReplicationControllers that can exist in the namespace.", + "type": "string" + }, + "limitsCpu": { + "description": "LimitsCPU is the CPU limits across all pods in a non-terminal state.", + "type": "string" + }, + "limitsMemory": { + "description": "LimitsMemory is the memory limits across all pods in a non-terminal state.", + "type": "string" + }, + "persistentVolumeClaims": { + "description": "PersistentVolumeClaims is the total number of PersistentVolumeClaims that can exist in the namespace.", + "type": "string" + }, + "pods": { + "description": "Pods is the total number of Pods in a non-terminal state that can exist in the namespace. A pod is in a terminal state if .status.phase in (Failed, Succeeded) is true.", + "type": "string" + }, + "replicationControllers": { + "description": "ReplicationControllers is total number of ReplicationControllers that can exist in the namespace.", + "type": "string" + }, + "requestsCpu": { + "description": "RequestsCPU is the CPU requests limit across all pods in a non-terminal state.", + "type": "string" + }, + "requestsMemory": { + "description": "RequestsMemory is the memory requests limit across all pods in a non-terminal state.", + "type": "string" + }, + "requestsStorage": { + "description": "RequestsStorage is the storage requests limit across all persistent volume claims.", + "type": "string" + }, + "secrets": { + "description": "Secrets is the total number of ReplicationControllers that can exist in the namespace.", + "type": "string" + }, + "services": { + "description": "Services is the total number of Services that can exist in the namespace.", + "type": "string" + }, + "servicesLoadBalancers": { + "description": "ServicesLoadBalancers is the total number of Services of type LoadBalancer that can exist in the namespace.", + "type": "string" + }, + "servicesNodePorts": { + "description": "ServiceNodePorts is the total number of Services of type NodePort that can exist in the namespace.", + "type": "string" + } + } + }, + "usedLimit": { + "description": "UsedLimit is the currently allocated quota for all namespaces in the project.", + "type": "object", + "properties": { + "configMaps": { + "description": "ConfigMaps is the total number of ReplicationControllers that can exist in the namespace.", + "type": "string" + }, + "limitsCpu": { + "description": "LimitsCPU is the CPU limits across all pods in a non-terminal state.", + "type": "string" + }, + "limitsMemory": { + "description": "LimitsMemory is the memory limits across all pods in a non-terminal state.", + "type": "string" + }, + "persistentVolumeClaims": { + "description": "PersistentVolumeClaims is the total number of PersistentVolumeClaims that can exist in the namespace.", + "type": "string" + }, + "pods": { + "description": "Pods is the total number of Pods in a non-terminal state that can exist in the namespace. A pod is in a terminal state if .status.phase in (Failed, Succeeded) is true.", + "type": "string" + }, + "replicationControllers": { + "description": "ReplicationControllers is total number of ReplicationControllers that can exist in the namespace.", + "type": "string" + }, + "requestsCpu": { + "description": "RequestsCPU is the CPU requests limit across all pods in a non-terminal state.", + "type": "string" + }, + "requestsMemory": { + "description": "RequestsMemory is the memory requests limit across all pods in a non-terminal state.", + "type": "string" + }, + "requestsStorage": { + "description": "RequestsStorage is the storage requests limit across all persistent volume claims.", + "type": "string" + }, + "secrets": { + "description": "Secrets is the total number of ReplicationControllers that can exist in the namespace.", + "type": "string" + }, + "services": { + "description": "Services is the total number of Services that can exist in the namespace.", + "type": "string" + }, + "servicesLoadBalancers": { + "description": "ServicesLoadBalancers is the total number of Services of type LoadBalancer that can exist in the namespace.", + "type": "string" + }, + "servicesNodePorts": { + "description": "ServiceNodePorts is the total number of Services of type NodePort that can exist in the namespace.", + "type": "string" + } + } + } + } + } + } + }, + "status": { + "description": "Status is the most recently observed status of the project.", + "type": "object", + "properties": { + "backingNamespace": { + "description": "BackingNamespace is the name of the namespace that contains resources associated with the project.", + "type": "string" + }, + "conditions": { + "description": "Conditions are a set of indicators about aspects of the project.", + "type": "array", + "items": { + "description": "ProjectCondition is the status of an aspect of the project.", + "type": "object", + "required": [ + "status", + "type" + ], + "properties": { + "lastTransitionTime": { + "description": "Last time the condition transitioned from one status to another.", + "type": "string" + }, + "lastUpdateTime": { + "description": "The last time this condition was updated.", + "type": "string" + }, + "message": { + "description": "Human-readable message indicating details about last transition.", + "type": "string" + }, + "reason": { + "description": "The reason for the condition's last transition.", + "type": "string" + }, + "status": { + "description": "Status of the condition, one of True, False, Unknown.", + "type": "string" + }, + "type": { + "description": "Type of project condition.", + "type": "string" + } + } + } + } + } + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "management.cattle.io", + "kind": "Project", + "version": "v3" + } + ] + }, + "io.cattle.management.v3.ProjectList": { + "description": "ProjectList is a list of Project", + "type": "object", + "required": [ + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "List of projects. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md", + "type": "array", + "items": { + "$ref": "#/definitions/io.cattle.management.v3.Project" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "management.cattle.io", + "kind": "ProjectList", + "version": "v3" + } + ] + }, + "io.cattle.management.v3.ProjectRoleTemplateBinding": { + "description": "ProjectRoleTemplateBinding is the object representing membership of a subject in a project with permissions\nspecified by a given role template.", + "type": "object", + "required": [ + "projectName", + "roleTemplateName" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "groupName": { + "description": "GroupName is the name of the group subject added to the project. Immutable.", + "type": "string" + }, + "groupPrincipalName": { + "description": "GroupPrincipalName is the name of the group principal subject added to the project. Immutable.", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "projectName": { + "description": "ProjectName is the name of the project to which a subject is added. Immutable.", + "type": "string" + }, + "roleTemplateName": { + "description": "RoleTemplateName is the name of the role template that defines permissions to perform actions on resources in the project. Immutable.", + "type": "string" + }, + "serviceAccount": { + "description": "ServiceAccount is the name of the service account bound as a subject. Immutable.\nDeprecated.", + "type": "string" + }, + "userName": { + "description": "UserName is the name of the user subject added to the project. Immutable.", + "type": "string" + }, + "userPrincipalName": { + "description": "UserPrincipalName is the name of the user principal subject added to the project. Immutable.", + "type": "string" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "management.cattle.io", + "kind": "ProjectRoleTemplateBinding", + "version": "v3" + } + ] + }, + "io.cattle.management.v3.ProjectRoleTemplateBindingList": { + "description": "ProjectRoleTemplateBindingList is a list of ProjectRoleTemplateBinding", + "type": "object", + "required": [ + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "List of projectroletemplatebindings. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md", + "type": "array", + "items": { + "$ref": "#/definitions/io.cattle.management.v3.ProjectRoleTemplateBinding" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "management.cattle.io", + "kind": "ProjectRoleTemplateBindingList", + "version": "v3" + } + ] + }, + "io.cattle.management.v3.RoleTemplate": { + "description": "RoleTemplate holds configuration for a template that is used to create kubernetes Roles and ClusterRoles\n(in the rbac.authorization.k8s.io group) for a cluster or project.", + "type": "object", + "properties": { + "administrative": { + "description": "Administrative field is deprecated and no longer used.", + "type": "boolean" + }, + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "builtin": { + "description": "Builtin if true specifies that this RoleTemplate was created by Rancher and is immutable.\nDefault to false.", + "type": "boolean" + }, + "clusterCreatorDefault": { + "description": "ClusterCreatorDefault if true, a binding with this RoleTemplate will be created for a users when they create a new cluster.\nClusterCreatorDefault is only evaluated if the context of the RoleTemplate is set to cluster.\nDefault to false.", + "type": "boolean" + }, + "context": { + "description": "Context describes if the roleTemplate applies to clusters or projects.\nValid values are \"project\", \"cluster\" or \"\".", + "type": "string", + "enum": [ + "project", + "cluster", + "" + ] + }, + "description": { + "description": "Description holds text that describes the resource.", + "type": "string" + }, + "displayName": { + "description": "DisplayName is the human-readable name displayed in the UI for this resource.", + "type": "string" + }, + "external": { + "description": "External if true specifies that rules for this RoleTemplate should be gathered from a ClusterRole with the matching name.\nIf set to true the Rules on the template will not be evaluated.\nExternal's value is only evaluated if the RoleTemplate's context is set to \"cluster\"\nDefault to false.", + "type": "boolean" + }, + "externalRules": { + "description": "ExternalRules hold the external PolicyRules that will be used for authorization.\nThis field is required when External=true and no underlying ClusterRole exists in the local cluster.\nThis field is just used when the feature flag 'external-rules' is on.", + "type": "array", + "items": { + "description": "PolicyRule holds information that describes a policy rule, but does not contain information\nabout who the rule applies to or which namespace the rule applies to.", + "type": "object", + "required": [ + "verbs" + ], + "properties": { + "apiGroups": { + "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of\nthe enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "nonResourceURLs": { + "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path\nSince non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.\nRules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "verbs": { + "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + } + } + } + }, + "hidden": { + "description": "Hidden if true informs the Rancher UI not to display this RoleTemplate.\nDefault to false.", + "type": "boolean" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "locked": { + "description": "Locked if true, new bindings will not be able to use this RoleTemplate.\nDefault to false.", + "type": "boolean" + }, + "metadata": { + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "projectCreatorDefault": { + "description": "ProjectCreatorDefault if true, a binding with this RoleTemplate will be created for a user when they create a new project.\nProjectCreatorDefault is only evaluated if the context of the RoleTemplate is set to project.\nDefault to false.", + "type": "boolean" + }, + "roleTemplateNames": { + "description": "RoleTemplateNames list of RoleTemplate names that this RoleTemplate will inherit.\nThis RoleTemplate will grant all rules defined in an inherited RoleTemplate.\nInherited RoleTemplates must already exist.", + "type": "array", + "items": { + "type": "string" + } + }, + "rules": { + "description": "Rules hold all the PolicyRules for this RoleTemplate.", + "type": "array", + "items": { + "description": "PolicyRule holds information that describes a policy rule, but does not contain information\nabout who the rule applies to or which namespace the rule applies to.", + "type": "object", + "required": [ + "verbs" + ], + "properties": { + "apiGroups": { + "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of\nthe enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "nonResourceURLs": { + "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path\nSince non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.\nRules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "verbs": { + "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + } + } + } + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "management.cattle.io", + "kind": "RoleTemplate", + "version": "v3" + } + ] + }, + "io.cattle.management.v3.RoleTemplateList": { + "description": "RoleTemplateList is a list of RoleTemplate", + "type": "object", + "required": [ + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "List of roletemplates. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md", + "type": "array", + "items": { + "$ref": "#/definitions/io.cattle.management.v3.RoleTemplate" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "management.cattle.io", + "kind": "RoleTemplateList", + "version": "v3" + } + ] + }, + "io.cattle.management.v3.User": { + "description": "User represents a user in Rancher", + "type": "object", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "description": { + "description": "Description provides a brief summary about the user.", + "type": "string" + }, + "displayName": { + "description": "DisplayName is the user friendly name shown in the UI.", + "type": "string" + }, + "enabled": { + "description": "Enabled indicates whether the user account is active.", + "type": "boolean" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "me": { + "description": "Deprecated. Only used by /v3 Rancher API.", + "type": "boolean" + }, + "metadata": { + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "mustChangePassword": { + "description": "MustChangePassword is a flag that, if true, forces the user to change their\npassword upon their next login.", + "type": "boolean" + }, + "password": { + "description": "Deprecated. Password are stored in secrets in the cattle-local-user-passwords namespace.", + "type": "string" + }, + "principalIds": { + "description": "PrincipalIDs lists the authentication provider identities (e.g. GitHub, Keycloak or Active Directory)\nthat are associated with this user account.", + "type": "array", + "items": { + "type": "string" + } + }, + "status": { + "description": "Status contains the most recent observed state of the user.", + "type": "object", + "properties": { + "conditions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "status", + "type" + ], + "properties": { + "lastTransitionTime": { + "description": "Last time the condition transitioned from one status to another.", + "type": "string" + }, + "lastUpdateTime": { + "description": "The last time this condition was updated.", + "type": "string" + }, + "message": { + "description": "Human-readable message indicating details about last transition", + "type": "string" + }, + "reason": { + "description": "The reason for the condition's last transition.", + "type": "string" + }, + "status": { + "description": "Status of the condition, one of True, False, Unknown.", + "type": "string" + }, + "type": { + "description": "Type of user condition.", + "type": "string" + } + } + } + } + } + }, + "username": { + "description": "Username is the unique login identifier for the user.", + "type": "string" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "management.cattle.io", + "kind": "User", + "version": "v3" + } + ] + }, + "io.cattle.management.v3.UserList": { + "description": "UserList is a list of User", + "type": "object", + "required": [ + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "List of users. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md", + "type": "array", + "items": { + "$ref": "#/definitions/io.cattle.management.v3.User" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "management.cattle.io", + "kind": "UserList", + "version": "v3" + } + ] + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.Condition": { + "description": "Condition contains details for one aspect of the current state of this API Resource.", + "type": "object", + "required": [ + "type", + "status", + "lastTransitionTime", + "reason", + "message" + ], + "properties": { + "lastTransitionTime": { + "description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + }, + "message": { + "description": "message is a human readable message indicating details about the transition. This may be an empty string.", + "type": "string" + }, + "observedGeneration": { + "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", + "type": "integer", + "format": "int64" + }, + "reason": { + "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", + "type": "string" + }, + "status": { + "description": "status of the condition, one of True, False, Unknown.", + "type": "string" + }, + "type": { + "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", + "type": "string" + } + } + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions": { + "description": "DeleteOptions may be provided when deleting an API object.", + "type": "object", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "dryRun": { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "atomic" + }, + "gracePeriodSeconds": { + "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.", + "type": "integer", + "format": "int64" + }, + "ignoreStoreReadErrorWithClusterBreakingPotential": { + "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it", + "type": "boolean" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "orphanDependents": { + "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.", + "type": "boolean" + }, + "preconditions": { + "description": "Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions" + }, + "propagationPolicy": { + "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.", + "type": "string" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "admission.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "admission.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "admissionregistration.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "admissionregistration.k8s.io", + "kind": "DeleteOptions", + "version": "v1alpha1" + }, + { + "group": "admissionregistration.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "aks.cattle.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "ali.cattle.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "apiextensions.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "apiextensions.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "apiregistration.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "apiregistration.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "apps", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "apps", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "apps", + "kind": "DeleteOptions", + "version": "v1beta2" + }, + { + "group": "auditlog.cattle.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "authentication.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "authentication.k8s.io", + "kind": "DeleteOptions", + "version": "v1alpha1" + }, + { + "group": "authentication.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "authorization.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "authorization.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "autoscaling", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "autoscaling", + "kind": "DeleteOptions", + "version": "v2" + }, + { + "group": "autoscaling", + "kind": "DeleteOptions", + "version": "v2beta1" + }, + { + "group": "autoscaling", + "kind": "DeleteOptions", + "version": "v2beta2" + }, + { + "group": "batch", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "batch", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "catalog.cattle.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "certificates.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "certificates.k8s.io", + "kind": "DeleteOptions", + "version": "v1alpha1" + }, + { + "group": "certificates.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "cluster.cattle.io", + "kind": "DeleteOptions", + "version": "v3" + }, + { + "group": "cluster.x-k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "coordination.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "coordination.k8s.io", + "kind": "DeleteOptions", + "version": "v1alpha2" + }, + { + "group": "coordination.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "discovery.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "discovery.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "eks.cattle.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "events.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "events.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "ext.cattle.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "extensions", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "fleet.cattle.io", + "kind": "DeleteOptions", + "version": "v1alpha1" + }, + { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta2" + }, + { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta3" + }, + { + "group": "gke.cattle.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "imagepolicy.k8s.io", + "kind": "DeleteOptions", + "version": "v1alpha1" + }, + { + "group": "internal.apiserver.k8s.io", + "kind": "DeleteOptions", + "version": "v1alpha1" + }, + { + "group": "k3s.cattle.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "management.cattle.io", + "kind": "DeleteOptions", + "version": "v3" + }, + { + "group": "meta.k8s.io", + "kind": "DeleteOptions", + "version": "__internal" + }, + { + "group": "meta.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "networking.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "networking.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "node.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "node.k8s.io", + "kind": "DeleteOptions", + "version": "v1alpha1" + }, + { + "group": "node.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "policy", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "policy", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "project.cattle.io", + "kind": "DeleteOptions", + "version": "v3" + }, + { + "group": "provisioning.cattle.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "rbac.authorization.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "rbac.authorization.k8s.io", + "kind": "DeleteOptions", + "version": "v1alpha1" + }, + { + "group": "rbac.authorization.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1alpha3" + }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta2" + }, + { + "group": "rke.cattle.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "scheduling.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "scheduling.k8s.io", + "kind": "DeleteOptions", + "version": "v1alpha1" + }, + { + "group": "scheduling.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "storage.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "storage.k8s.io", + "kind": "DeleteOptions", + "version": "v1alpha1" + }, + { + "group": "storage.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "storagemigration.k8s.io", + "kind": "DeleteOptions", + "version": "v1alpha1" + }, + { + "group": "telemetry.cattle.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "upgrade.cattle.io", + "kind": "DeleteOptions", + "version": "v1" + } + ] + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:\u003cname\u003e', where \u003cname\u003e is the name of a field in a struct, or key in a map 'v:\u003cvalue\u003e', where \u003cvalue\u003e is the exact json formatted value of a list item 'i:\u003cindex\u003e', where \u003cindex\u003e is position of a item in a list 'k:\u003ckeys\u003e', where \u003ckeys\u003e is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": "object" + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta": { + "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.", + "type": "object", + "properties": { + "continue": { + "description": "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.", + "type": "string" + }, + "remainingItemCount": { + "description": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.", + "type": "integer", + "format": "int64" + }, + "resourceVersion": { + "description": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": "string" + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": "string" + } + } + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "type": "object", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": "string" + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": "string" + }, + "fieldsV1": { + "description": "FieldsV1 holds the first JSON version format as described in the \"FieldsV1\" type.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1" + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": "string" + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": "string" + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": "string" + }, + "time": { + "description": "Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + } + } + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "type": "object", + "properties": { + "annotations": { + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "creationTimestamp": { + "description": "CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n\nPopulated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "type": "integer", + "format": "int64" + }, + "deletionTimestamp": { + "description": "DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.\n\nPopulated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "type": "array", + "items": { + "type": "string" + }, + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": "string" + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "type": "integer", + "format": "int64" + }, + "labels": { + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "type": "array", + "items": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry" + }, + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": "string" + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "type": "array", + "items": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference" + }, + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": "string" + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": "string" + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + } + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "type": "object", + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": "boolean" + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": "boolean" + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "x-kubernetes-map-type": "atomic" + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.Patch": { + "description": "Patch is provided to give a concrete name and type to the Kubernetes PATCH request body.", + "type": "object" + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions": { + "description": "Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.", + "type": "object", + "properties": { + "resourceVersion": { + "description": "Specifies the target ResourceVersion", + "type": "string" + }, + "uid": { + "description": "Specifies the target UID.", + "type": "string" + } + } + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.Status": { + "description": "Status is a return value for calls that don't return other objects.", + "type": "object", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "code": { + "description": "Suggested HTTP return code for this status, 0 if not set.", + "type": "integer", + "format": "int32" + }, + "details": { + "description": "Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails", + "x-kubernetes-list-type": "atomic" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "message": { + "description": "A human-readable description of the status of this operation.", + "type": "string" + }, + "metadata": { + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + }, + "reason": { + "description": "A machine-readable description of why this operation is in the \"Failure\" status. If this value is empty there is no information available. A Reason clarifies an HTTP status code but does not override it.", + "type": "string" + }, + "status": { + "description": "Status of the operation. One of: \"Success\" or \"Failure\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status", + "type": "string" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "", + "kind": "Status", + "version": "v1" + } + ] + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause": { + "description": "StatusCause provides more information about an api.Status failure, including cases when multiple errors are encountered.", + "type": "object", + "properties": { + "field": { + "description": "The field of the resource that has caused this error, as named by its JSON serialization. May include dot and postfix notation for nested attributes. Arrays are zero-indexed. Fields may appear more than once in an array of causes due to fields having multiple errors. Optional.\n\nExamples:\n \"name\" - the field \"name\" on the current resource\n \"items[0].name\" - the field \"name\" on the first array entry in \"items\"", + "type": "string" + }, + "message": { + "description": "A human-readable description of the cause of the error. This field may be presented as-is to a reader.", + "type": "string" + }, + "reason": { + "description": "A machine-readable description of the cause of the error. If this value is empty there is no information available.", + "type": "string" + } + } + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails": { + "description": "StatusDetails is a set of additional properties that MAY be set by the server to provide additional information about a response. The Reason field of a Status object defines what attributes will be set. Clients must ignore fields that do not match the defined type of each attribute, and should assume that any attribute may be empty, invalid, or under defined.", + "type": "object", + "properties": { + "causes": { + "description": "The Causes array includes more details associated with the StatusReason failure. Not all StatusReasons may provide detailed causes.", + "type": "array", + "items": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause" + }, + "x-kubernetes-list-type": "atomic" + }, + "group": { + "description": "The group attribute of the resource associated with the status StatusReason.", + "type": "string" + }, + "kind": { + "description": "The kind attribute of the resource associated with the status StatusReason. On some operations may differ from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "The name attribute of the resource associated with the status StatusReason (when there is a single name which can be described).", + "type": "string" + }, + "retryAfterSeconds": { + "description": "If specified, the time in seconds before the operation should be retried. Some errors may indicate the client must take an alternate action - for those errors this field may indicate how long to wait before taking the alternate action.", + "type": "integer", + "format": "int32" + }, + "uid": { + "description": "UID of the resource. (when there is a single resource which can be described). More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + } + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.Time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "type": "string", + "format": "date-time" + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent": { + "description": "Event represents a single event to a watched resource.", + "type": "object", + "required": [ + "type", + "object" + ], + "properties": { + "object": { + "description": "Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Error: *Status is recommended; other types may make sense\n depending on context.", + "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension" + }, + "type": { + "type": "string" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "admission.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "admission.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "admissionregistration.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "admissionregistration.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" + }, + { + "group": "admissionregistration.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "aks.cattle.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "ali.cattle.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "apiextensions.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "apiextensions.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "apiregistration.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "apiregistration.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "apps", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "apps", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "apps", + "kind": "WatchEvent", + "version": "v1beta2" + }, + { + "group": "auditlog.cattle.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "authentication.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "authentication.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" + }, + { + "group": "authentication.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "authorization.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "authorization.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "autoscaling", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "autoscaling", + "kind": "WatchEvent", + "version": "v2" + }, + { + "group": "autoscaling", + "kind": "WatchEvent", + "version": "v2beta1" + }, + { + "group": "autoscaling", + "kind": "WatchEvent", + "version": "v2beta2" + }, + { + "group": "batch", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "batch", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "catalog.cattle.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "certificates.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "certificates.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" + }, + { + "group": "certificates.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "cluster.cattle.io", + "kind": "WatchEvent", + "version": "v3" + }, + { + "group": "cluster.x-k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "coordination.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "coordination.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha2" + }, + { + "group": "coordination.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "discovery.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "discovery.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "eks.cattle.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "events.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "events.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "ext.cattle.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "extensions", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "fleet.cattle.io", + "kind": "WatchEvent", + "version": "v1alpha1" + }, + { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "WatchEvent", + "version": "v1beta2" + }, + { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "WatchEvent", + "version": "v1beta3" + }, + { + "group": "gke.cattle.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "imagepolicy.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" + }, + { + "group": "internal.apiserver.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" + }, + { + "group": "k3s.cattle.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "management.cattle.io", + "kind": "WatchEvent", + "version": "v3" + }, + { + "group": "meta.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "networking.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "networking.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "node.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "node.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" + }, + { + "group": "node.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "policy", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "policy", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "project.cattle.io", + "kind": "WatchEvent", + "version": "v3" + }, + { + "group": "provisioning.cattle.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "rbac.authorization.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "rbac.authorization.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" + }, + { + "group": "rbac.authorization.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "resource.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "resource.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha3" + }, + { + "group": "resource.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "resource.k8s.io", + "kind": "WatchEvent", + "version": "v1beta2" + }, + { + "group": "rke.cattle.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "scheduling.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "scheduling.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" + }, + { + "group": "scheduling.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "storage.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "storage.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" + }, + { + "group": "storage.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "storagemigration.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" + }, + { + "group": "telemetry.cattle.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "upgrade.cattle.io", + "kind": "WatchEvent", + "version": "v1" + } + ] + }, + "io.k8s.apimachinery.pkg.runtime.RawExtension": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "parameters": { + "allowWatchBookmarks-HC2hJt-J": { + "uniqueItems": true, + "type": "boolean", + "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.", + "name": "allowWatchBookmarks", + "in": "query" + }, + "body-2Y1dVQaQ": { + "name": "body", + "in": "body", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions" + } + }, + "body-78PwaGsr": { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Patch" + } + }, + "command-Py3eQybp": { + "uniqueItems": true, + "type": "string", + "description": "Command is the remote command to execute. argv array. Not executed within a shell.", + "name": "command", + "in": "query" + }, + "container-1GeXxFDC": { + "uniqueItems": true, + "type": "string", + "description": "The container for which to stream logs. Defaults to only container if there is one container in the pod.", + "name": "container", + "in": "query" + }, + "container-_Q-EJ3nR": { + "uniqueItems": true, + "type": "string", + "description": "The container in which to execute the command. Defaults to only container if there is only one container in the pod.", + "name": "container", + "in": "query" + }, + "container-i5dOmRiM": { + "uniqueItems": true, + "type": "string", + "description": "Container in which to execute the command. Defaults to only container if there is only one container in the pod.", + "name": "container", + "in": "query" + }, + "continue-QfD61s0i": { + "uniqueItems": true, + "type": "string", + "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.", + "name": "continue", + "in": "query" + }, + "fieldManager-7c6nTn1T": { + "uniqueItems": true, + "type": "string", + "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).", + "name": "fieldManager", + "in": "query" + }, + "fieldManager-Qy4HdaTW": { + "uniqueItems": true, + "type": "string", + "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.", + "name": "fieldManager", + "in": "query" + }, + "fieldSelector-xIcQKXFG": { + "uniqueItems": true, + "type": "string", + "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.", + "name": "fieldSelector", + "in": "query" + }, + "follow-9OIXh_2R": { + "uniqueItems": true, + "type": "boolean", + "description": "Follow the log stream of the pod. Defaults to false.", + "name": "follow", + "in": "query" + }, + "force-tOGGb0Yi": { + "uniqueItems": true, + "type": "boolean", + "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.", + "name": "force", + "in": "query" + }, + "gracePeriodSeconds--K5HaBOS": { + "uniqueItems": true, + "type": "integer", + "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.", + "name": "gracePeriodSeconds", + "in": "query" + }, + "ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj": { + "uniqueItems": true, + "type": "boolean", + "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it", + "name": "ignoreStoreReadErrorWithClusterBreakingPotential", + "in": "query" + }, + "insecureSkipTLSVerifyBackend-gM00jVbe": { + "uniqueItems": true, + "type": "boolean", + "description": "insecureSkipTLSVerifyBackend indicates that the apiserver should not confirm the validity of the serving certificate of the backend it is connecting to. This will make the HTTPS connection between the apiserver and the backend insecure. This means the apiserver cannot verify the log data it is receiving came from the real kubelet. If the kubelet is configured to verify the apiserver's TLS credentials, it does not mean the connection to the real kubelet is vulnerable to a man in the middle attack (e.g. an attacker could not intercept the actual log data coming from the real kubelet).", + "name": "insecureSkipTLSVerifyBackend", + "in": "query" + }, + "labelSelector-5Zw57w4C": { + "uniqueItems": true, + "type": "string", + "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.", + "name": "labelSelector", + "in": "query" + }, + "limit-1NfNmdNH": { + "uniqueItems": true, + "type": "integer", + "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.", + "name": "limit", + "in": "query" + }, + "limitBytes-zwd1RXuc": { + "uniqueItems": true, + "type": "integer", + "description": "If set, the number of bytes to read from the server before terminating the log output. This may not display a complete final line of logging, and may return slightly more or slightly less than the specified limit.", + "name": "limitBytes", + "in": "query" + }, + "namespace-vgWSWtn3": { + "uniqueItems": true, + "type": "string", + "description": "object name and auth scope, such as for teams and projects", + "name": "namespace", + "in": "path", + "required": true + }, + "orphanDependents-uRB25kX5": { + "uniqueItems": true, + "type": "boolean", + "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.", + "name": "orphanDependents", + "in": "query" + }, + "path-QCf0eosM": { + "uniqueItems": true, + "type": "string", + "description": "Path is the part of URLs that include service endpoints, suffixes, and parameters to use for the current proxy request to service. For example, the whole request URL is http://localhost/api/v1/namespaces/kube-system/services/elasticsearch-logging/_search?q=user:kimchy. Path is _search?q=user:kimchy.", + "name": "path", + "in": "query" + }, + "path-oPbzgLUj": { + "uniqueItems": true, + "type": "string", + "description": "Path is the URL path to use for the current proxy request to pod.", + "name": "path", + "in": "query" + }, + "path-rFDtV0x9": { + "uniqueItems": true, + "type": "string", + "description": "Path is the URL path to use for the current proxy request to node.", + "name": "path", + "in": "query" + }, + "path-z6Ciiujn": { + "uniqueItems": true, + "type": "string", + "description": "path to the resource", + "name": "path", + "in": "path", + "required": true + }, + "ports-91KROJmm": { + "uniqueItems": true, + "type": "integer", + "description": "List of ports to forward Required when using WebSockets", + "name": "ports", + "in": "query" + }, + "pretty-tJGM1-ng": { + "uniqueItems": true, + "type": "string", + "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).", + "name": "pretty", + "in": "query" + }, + "previous-1jxDPu3y": { + "uniqueItems": true, + "type": "boolean", + "description": "Return previous terminated container logs. Defaults to false.", + "name": "previous", + "in": "query" + }, + "propagationPolicy-6jk3prlO": { + "uniqueItems": true, + "type": "string", + "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.", + "name": "propagationPolicy", + "in": "query" + }, + "resourceVersion-5WAnf1kx": { + "uniqueItems": true, + "type": "string", + "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "name": "resourceVersion", + "in": "query" + }, + "resourceVersionMatch-t8XhRHeC": { + "uniqueItems": true, + "type": "string", + "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "name": "resourceVersionMatch", + "in": "query" + }, + "sendInitialEvents-rLXlEK_k": { + "uniqueItems": true, + "type": "boolean", + "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n is interpreted as \"data at least as new as the provided `resourceVersion`\"\n and the bookmark event is send when the state is synced\n to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n bookmark event is send when the state is synced at least to the moment\n when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.", + "name": "sendInitialEvents", + "in": "query" + }, + "sinceSeconds-vE2NLdnP": { + "uniqueItems": true, + "type": "integer", + "description": "A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned. Only one of sinceSeconds or sinceTime may be specified.", + "name": "sinceSeconds", + "in": "query" + }, + "stderr-26jJhFUR": { + "uniqueItems": true, + "type": "boolean", + "description": "Stderr if true indicates that stderr is to be redirected for the attach call. Defaults to true.", + "name": "stderr", + "in": "query" + }, + "stderr-W_1TNlWc": { + "uniqueItems": true, + "type": "boolean", + "description": "Redirect the standard error stream of the pod for this call.", + "name": "stderr", + "in": "query" + }, + "stdin-PSzNhyUC": { + "uniqueItems": true, + "type": "boolean", + "description": "Redirect the standard input stream of the pod for this call. Defaults to false.", + "name": "stdin", + "in": "query" + }, + "stdin-sEFnN3IS": { + "uniqueItems": true, + "type": "boolean", + "description": "Stdin if true, redirects the standard input stream of the pod for this call. Defaults to false.", + "name": "stdin", + "in": "query" + }, + "stdout--EZLRwV1": { + "uniqueItems": true, + "type": "boolean", + "description": "Redirect the standard output stream of the pod for this call.", + "name": "stdout", + "in": "query" + }, + "stdout-005YMKE6": { + "uniqueItems": true, + "type": "boolean", + "description": "Stdout if true indicates that stdout is to be redirected for the attach call. Defaults to true.", + "name": "stdout", + "in": "query" + }, + "stream-l-48cgXv": { + "uniqueItems": true, + "type": "string", + "description": "Specify which container log stream to return to the client. Acceptable values are \"All\", \"Stdout\" and \"Stderr\". If not specified, \"All\" is used, and both stdout and stderr are returned interleaved. Note that when \"TailLines\" is specified, \"Stream\" can only be set to nil or \"All\".", + "name": "stream", + "in": "query" + }, + "tailLines-9xQLWHMV": { + "uniqueItems": true, + "type": "integer", + "description": "If set, the number of lines from the end of the logs to show. If not specified, logs are shown from the creation of the container or sinceSeconds or sinceTime. Note that when \"TailLines\" is specified, \"Stream\" can only be set to nil or \"All\".", + "name": "tailLines", + "in": "query" + }, + "timeoutSeconds-yvYezaOC": { + "uniqueItems": true, + "type": "integer", + "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.", + "name": "timeoutSeconds", + "in": "query" + }, + "timestamps-c17fW1w_": { + "uniqueItems": true, + "type": "boolean", + "description": "If true, add an RFC3339 or RFC3339Nano timestamp at the beginning of every line of log output. Defaults to false.", + "name": "timestamps", + "in": "query" + }, + "tty-g7MlET_l": { + "uniqueItems": true, + "type": "boolean", + "description": "TTY if true indicates that a tty will be allocated for the attach call. This is passed through the container runtime so the tty is allocated on the worker node by the container runtime. Defaults to false.", + "name": "tty", + "in": "query" + }, + "tty-s0flW37O": { + "uniqueItems": true, + "type": "boolean", + "description": "TTY if true indicates that a tty will be allocated for the exec call. Defaults to false.", + "name": "tty", + "in": "query" + }, + "watch-XNNPZGbK": { + "uniqueItems": true, + "type": "boolean", + "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.", + "name": "watch", + "in": "query" + } + }, + "securityDefinitions": { + "BearerToken": { + "description": "Bearer Token authentication", + "type": "apiKey", + "name": "authorization", + "in": "header" + } + }, + "security": [ + { + "BearerToken": [] + } + ] +} \ No newline at end of file diff --git a/shared-files/_cni-popularity.md b/shared-files/_cni-popularity.md index e983d5b3690..2e22a703585 100644 --- a/shared-files/_cni-popularity.md +++ b/shared-files/_cni-popularity.md @@ -4,7 +4,7 @@ The following table summarizes different GitHub metrics to give you an idea of e | Provider | Project | Stars | Forks | Contributors | | ---- | ---- | ---- | ---- | ---- | | Canal | https://github.com/projectcalico/canal | 721 | 98 | 20 | -| Flannel | https://github.com/flannel-io/flannel | 9.3k | 2.9k | 243 | -| Calico | https://github.com/projectcalico/calico | 6.8k | 1.5k | 387 | -| Weave | https://github.com/weaveworks/weave | 6.6k | 679 | 84 | -| Cilium | https://github.com/cilium/cilium | 22.7k | 3.4k | 1,002 | +| Flannel | https://github.com/flannel-io/flannel | 9.3k | 2.9k | 244 | +| Calico | https://github.com/projectcalico/calico | 6.9k | 1.5k | 392 | +| Weave | https://github.com/weaveworks/weave | 6.6k | 680 | 84 | +| Cilium | https://github.com/cilium/cilium | 22.9k | 3.4k | 1,012 | diff --git a/shared-files/_configure-slo-oidc.md b/shared-files/_configure-slo-oidc.md new file mode 100644 index 00000000000..6bf6b544622 --- /dev/null +++ b/shared-files/_configure-slo-oidc.md @@ -0,0 +1,39 @@ +Rancher supports the ability to configure OIDC Single Logout (SLO). Options include logging out of the Rancher application only, logging out of Rancher and registered applications tied to the external authentication provider, or a prompt asking the user to choose between the previous options. + +### Prerequisites + +Before configuring OIDC SLO, ensure the following is set up on your IdP: + +- **SLO Support**: The **Log Out behavior** configuration section only appears if your OIDC IdP allows for `OIDC SLO`. +- **Post-Logout Redirect URI**: Your Rancher Server URL must be configured as an authorized post-logout redirect URI in your IdP's OIDC client settings. This URL is used by the IdP to redirect a user back to Rancher after a successful external logout. + +### OIDC SLO Configuration + +Configure the SLO settings when setting up or editing your OIDC authentication provider. + +1. Sign in to Rancher using a standard user or an administrator role. +1. In the top left corner, select **☰** > **Users & Authentication**. +1. In the left navigation menu, select **Auth Provider**. +1. Under the section **Log Out behavior**, choose the appropriate SLO setting as described below: + + | Setting | Description | + | ------------------------- | ----------------------------------------------------------------------------- | + | Log out of Rancher and not authentication provider | Choosing this option will only logout the Rancher application and not external authentication providers. | + | Log out of Rancher and authentication provider (includes all other applications registered with authentication provider) | Choosing this option will logout Rancher and all external authentication providers along with any registered applications linked to the provider. | + | Allow the user to choose one of the above in an additional log out step | Choosing this option presents users with a choice of logout method as described above. | + +1. If you choose to log out of your IdP, provide an [**End Session Endpoint**](#how-to-get-the-end-session-endpoint). Rancher uses this URL to initiate the external logout. + +#### How to get the End Session Endpoint + +The `end_session_endpoint` is one of the specific URLs published within a standardized JSON object containing the IdP's metadata and is retrieved from the OIDC Discovery URL. To get the `end_session_endpoint` from the OIDC Discovery URL, follow these steps: + +1. Obtain the Discovery URL by appending the IdP Issuer URL with the well-known path (`.well-known/openid-configuration`). +1. Send an HTTP `GET` request to the Discovery URL. +1. In the JSON object, look for the key named `end_session_endpoint` and retrieve the URL. + + You can also use a `curl` command to retrieve `end_session_endpoint`: + + ```sh + curl -s /.well-known/openid-configuration | jq '.end_session_endpoint' + ``` diff --git a/shared-files/_glossary.md b/shared-files/_glossary.md index 91f8eb155ec..c2646ed7f11 100644 --- a/shared-files/_glossary.md +++ b/shared-files/_glossary.md @@ -308,6 +308,12 @@

Related terms: Downstream cluster, Hosted cluster, Imported cluster, Managed cluster, Registered cluster

+
+ User +
+
+ A Rancher resource users.management.cattle.io that defines a user within Rancher. +
## W @@ -319,4 +325,4 @@
Objects that set deployment rules for pods. Based on these rules, Kubernetes performs the deployment and updates the workload with the current state of the application. Workloads let you define the rules for application scheduling, scaling, and upgrade.
- \ No newline at end of file + diff --git a/sidebars.js b/sidebars.js index 4f54bb715f1..73b0e3411a3 100644 --- a/sidebars.js +++ b/sidebars.js @@ -228,6 +228,7 @@ const sidebars = { "how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-freeipa", "how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-azure-ad", "how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-github", + "how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-github-app", "how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc", "how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml", "how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity", @@ -771,7 +772,7 @@ const sidebars = { "how-to-guides/advanced-user-guides/enable-experimental-features/unsupported-storage-drivers", "how-to-guides/advanced-user-guides/enable-experimental-features/istio-traffic-management-features", "how-to-guides/advanced-user-guides/enable-experimental-features/continuous-delivery", - "how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation", + "how-to-guides/advanced-user-guides/enable-experimental-features/role-template-aggregation", ], }, "how-to-guides/advanced-user-guides/open-ports-with-firewalld", @@ -882,9 +883,7 @@ const sidebars = { type: "doc", id: "reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/use-existing-nodes", }, - items: [ - "reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options", - ], + items: [], }, "reference-guides/cluster-configuration/rancher-server-configuration/sync-clusters", ], @@ -1013,6 +1012,8 @@ const sidebars = { "reference-guides/system-tools", + "reference-guides/dual-stack", + "reference-guides/rke1-template-example-yaml", "reference-guides/rancher-webhook", { @@ -1273,7 +1274,8 @@ const sidebars = { label: "Example Workflows", items: ["api/workflows/projects", "api/workflows/kubeconfigs", - "api/workflows/tokens"], + "api/workflows/tokens", + "api/workflows/users"], }, "api/api-reference", "api/api-tokens", diff --git a/src/pages/versions.md b/src/pages/versions.md index d00ed6e18ca..188a70818c3 100644 --- a/src/pages/versions.md +++ b/src/pages/versions.md @@ -5,6 +5,27 @@ title: Rancher Documentation Versions ### Current Versions +Here you can find links to supporting documentation for the current released version of Rancher v2.13, and its availability for [Rancher Prime](/v2.13/getting-started/quick-start-guides/deploy-rancher-manager/prime) and the Community version of Rancher: + + + + + + + + + + + + + + + + + + +
VersionDocumentationRelease NotesSupport MatrixPrimeCommunity
v2.13.0DocumentationRelease Notes
N/A
N/A
+ Here you can find links to supporting documentation for the current released version of Rancher v2.12, and its availability for [Rancher Prime](/v2.12/getting-started/quick-start-guides/deploy-rancher-manager/prime) and the Community version of Rancher: diff --git a/src/theme/MDXComponents.js b/src/theme/MDXComponents.js index ed2496bba5d..fc29fa7edc6 100644 --- a/src/theme/MDXComponents.js +++ b/src/theme/MDXComponents.js @@ -12,6 +12,7 @@ import DeprecationWeave from '/shared-files/_deprecation-weave.md'; import DeprecationHelm2 from '/shared-files/_deprecation-helm2.md'; import DockerSupportWarning from '/shared-files/_docker-support-warning.md'; import ConfigureSLO from '/shared-files/_configure-slo.md'; +import ConfigureSLOOidc from '/shared-files/_configure-slo-oidc.md'; import EOLRKE1Warning from '/shared-files/_eol-rke1-warning.md'; import PermissionsWarning from '/shared-files/_permissions-warning.md'; @@ -27,6 +28,7 @@ export default { CNIPopularityTable, ConfigureSLO, + ConfigureSLOOidc, DeprecationOPAGatekeeper, DeprecationWeave, DeprecationHelm2, diff --git a/versioned_docs/version-2.13/api/api-reference.mdx b/versioned_docs/version-2.13/api/api-reference.mdx index ca78ba81cc8..caada3bcaf5 100644 --- a/versioned_docs/version-2.13/api/api-reference.mdx +++ b/versioned_docs/version-2.13/api/api-reference.mdx @@ -15,4 +15,4 @@ At this time, not all Rancher resources are available through the Rancher Kubern import ApiDocMdx from '@theme/ApiDocMdx'; - + diff --git a/versioned_docs/version-2.13/api/api-tokens.md b/versioned_docs/version-2.13/api/api-tokens.md index cecfd9af3cc..fb1b9d0db1e 100644 --- a/versioned_docs/version-2.13/api/api-tokens.md +++ b/versioned_docs/version-2.13/api/api-tokens.md @@ -60,17 +60,23 @@ This feature affects all tokens which include, but are not limited to, the follo These global settings affect Rancher token behavior. -| Setting | Description | -| ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| [`auth-user-session-ttl-minutes`](#auth-user-session-ttl-minutes) | TTL in minutes on a user auth session token. | -| [`kubeconfig-default-token-ttl-minutes`](#kubeconfig-default-token-ttl-minutes) | Default TTL applied to all kubeconfig tokens except for tokens [generated by Rancher CLI](#disable-tokens-in-generated-kubeconfigs). | -| [`auth-token-max-ttl-minutes`](#auth-token-max-ttl-minutes) | Max TTL for all tokens except those controlled by [`auth-user-session-ttl-minutes`](#auth-user-session-ttl-minutes). | -| [`kubeconfig-generate-token`](#kubeconfig-generate-token) | If true, automatically generate tokens when a user downloads a kubeconfig. | +| Setting | Description | +| ------- | ----------- | +| [`auth-user-session-ttl-minutes`](#auth-user-session-ttl-minutes) | TTL in minutes on a user auth session token. | +| [`auth-user-session-idle-ttl-minutes`](#auth-user-session-idle-ttl-minutes) | TTL in minutes on a user auth session token, without user activity. | +| [`kubeconfig-default-token-ttl-minutes`](#kubeconfig-default-token-ttl-minutes) | Default TTL applied to all kubeconfig tokens except for tokens [generated by Rancher CLI](#disable-tokens-in-generated-kubeconfigs). | +| [`auth-token-max-ttl-minutes`](#auth-token-max-ttl-minutes) | Max TTL for all tokens except those controlled by [`auth-user-session-ttl-minutes`](#auth-user-session-ttl-minutes). | +| [`kubeconfig-generate-token`](#kubeconfig-generate-token) | If true, automatically generate tokens when a user downloads a kubeconfig. | ### auth-user-session-ttl-minutes Time to live (TTL) duration in minutes, used to determine when a user auth session token expires. When expired, the user must log in and obtain a new token. This setting is not affected by [`auth-token-max-ttl-minutes`](#auth-token-max-ttl-minutes). Session tokens are created when a user logs into Rancher. +### auth-user-session-idle-ttl-minutes + +Time to live (TTL) without user activity for login sessions tokens, in minutes. +By default, [`auth-user-session-idle-ttl-minutes`](#auth-user-session-idle-ttl-minutes) is set to the same value as [`auth-user-session-ttl-minutes`](#auth-user-session-ttl-minutes) (for backward compatibility). It must never exceed the value of `auth-user-session-ttl-minutes`. + ### kubeconfig-default-token-ttl-minutes Time to live (TTL) duration in minutes, used to determine when a kubeconfig token expires. When the token is expired, the API rejects the token. This setting can't be larger than [`auth-token-max-ttl-minutes`](#auth-token-max-ttl-minutes). This setting applies to tokens generated in a requested kubeconfig file, except for tokens [generated by Rancher CLI](#disable-tokens-in-generated-kubeconfigs). As of Rancher v2.8, the default duration is `43200`, which means that tokens expire in 30 days. diff --git a/versioned_docs/version-2.13/api/workflows/kubeconfigs.md b/versioned_docs/version-2.13/api/workflows/kubeconfigs.md index a6e156f3272..6ef8e2e9817 100644 --- a/versioned_docs/version-2.13/api/workflows/kubeconfigs.md +++ b/versioned_docs/version-2.13/api/workflows/kubeconfigs.md @@ -20,14 +20,6 @@ To get a description of the fields and structure of the Kubeconfig resource, run kubectl explain kubeconfigs.ext.cattle.io ``` -## Feature Flag - -The Kubeconfigs Public API is available since Rancher v2.12.0 and is enabled by default. It can be disabled by setting the `ext-kubeconfigs` feature flag to `false`. - -```sh -kubectl patch feature ext-kubeconfigs -p '{"spec":{"value":false}}' -``` - ## Creating a Kubeconfig Only a **valid and active** Rancher user can create a Kubeconfig. For example, trying to create a Kubeconfig using a `system:admin` service account will lead to an error: diff --git a/versioned_docs/version-2.13/api/workflows/tokens.md b/versioned_docs/version-2.13/api/workflows/tokens.md index 999340c1613..87c11bdb3f3 100644 --- a/versioned_docs/version-2.13/api/workflows/tokens.md +++ b/versioned_docs/version-2.13/api/workflows/tokens.md @@ -20,20 +20,14 @@ To get a description of the fields and structure of the Token resource, run: kubectl explain tokens.ext.cattle.io ``` -## Feature Flag - -The Tokens Public API is available for Rancher v2.12.0 and later, and is enabled by default. You can disable the Tokens Public API by setting the `ext-tokens` feature flag to `false` as shown in the example `kubectl` command below: - -```sh -kubectl patch feature ext-tokens -p '{"spec":{"value":false}}' -``` - ## Creating a Token :::caution The Token value is only returned once in the `status.value` field. ::: +Since Rancher v2.13.0 the `status.bearerToken` now contains a fully formed and ready-to-use Bearer token that can be used to authenticate to [Rancher API](../v3-rancher-api-guide.md). + Only a **valid and active** Rancher user can create a Token. Otherwise, you will get an error displayed (`Error from server (Forbidden)...`) when attempting to create a Token. ```bash diff --git a/versioned_docs/version-2.13/api/workflows/users.md b/versioned_docs/version-2.13/api/workflows/users.md new file mode 100644 index 00000000000..0299427a953 --- /dev/null +++ b/versioned_docs/version-2.13/api/workflows/users.md @@ -0,0 +1,186 @@ +--- +title: Users +--- + +## User Resource + +The `User` resource (users.management.cattle.io) represents a user account in Rancher. + +To get a description of the fields and structure of the `User` resource, run: +```sh +kubectl explain users.management.cattle.io +``` + +## Creating a User + +Creating a local user is a two-step process: you must create the `User` resource, then provide a password via a Kubernetes `Secret`. + +Only a user with sufficient permissions can create a `User` resource. + +```bash +kubectl create -f -< -Please see the following reference guides for other installation resources: [Rancher Helm chart options](helm-chart-options.md), [TLS settings](tls-settings.md), and [feature flags](feature-flags.md). \ No newline at end of file +Please see the following reference guides for other installation resources: [Rancher Helm chart options](helm-chart-options.md), [TLS settings](tls-settings.md), and [feature flags](feature-flags.md). diff --git a/versioned_docs/version-2.13/getting-started/installation-and-upgrade/installation-requirements/installation-requirements.md b/versioned_docs/version-2.13/getting-started/installation-and-upgrade/installation-requirements/installation-requirements.md index 244f0cf39c1..c5f7181fca5 100644 --- a/versioned_docs/version-2.13/getting-started/installation-and-upgrade/installation-requirements/installation-requirements.md +++ b/versioned_docs/version-2.13/getting-started/installation-and-upgrade/installation-requirements/installation-requirements.md @@ -25,10 +25,16 @@ Rancher needs to be installed on a supported Kubernetes version. Consult the [Ra Regardless of version and distribution, the Kubernetes cluster must have the aggregation API layer properly configured to support the [extension API](../../../api/extension-apiserver.md) used by Rancher. -### Install Rancher on a Hardened Kubernetes cluster +### Install Rancher on a Hardened Kubernetes Cluster If you install Rancher on a hardened Kubernetes cluster, check the [Exempting Required Rancher Namespaces](../../../how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md#exempting-required-rancher-namespaces) section for detailed requirements. +### Install Rancher on an IPv6-only or Dual-stack Kubernetes Cluster + +You can deploy Rancher on an IPv6-only or dual-stack Kubernetes cluster. + +For details on Rancher’s IPv6-only and dual-stack support, see the [IPv4/IPv6 Dual-stack](../../../reference-guides/dual-stack.md) page. + ## Operating Systems and Container Runtime Requirements All supported operating systems are 64-bit x86. Rancher should work with any modern Linux distribution. diff --git a/versioned_docs/version-2.13/getting-started/installation-and-upgrade/installation-requirements/port-requirements.md b/versioned_docs/version-2.13/getting-started/installation-and-upgrade/installation-requirements/port-requirements.md index 8f291a22390..46ca5ec7d49 100644 --- a/versioned_docs/version-2.13/getting-started/installation-and-upgrade/installation-requirements/port-requirements.md +++ b/versioned_docs/version-2.13/getting-started/installation-and-upgrade/installation-requirements/port-requirements.md @@ -238,21 +238,23 @@ In these cases, you have to explicitly allow this traffic in your host firewall, When using the [AWS EC2 node driver](../../../how-to-guides/new-user-guides/launch-kubernetes-with-rancher/use-new-nodes-in-an-infra-provider/create-an-amazon-ec2-cluster.md) to provision cluster nodes in Rancher, you can choose to let Rancher create a security group called `rancher-nodes`. The following rules are automatically added to this security group. -| Type | Protocol | Port Range | Source/Destination | Rule Type | +| Type | Protocol | Port Range | Source/Destination | Rule Type | |-----------------|:--------:|:-----------:|------------------------|:---------:| -| SSH | TCP | 22 | 0.0.0.0/0 | Inbound | -| HTTP | TCP | 80 | 0.0.0.0/0 | Inbound | -| Custom TCP Rule | TCP | 443 | 0.0.0.0/0 | Inbound | -| Custom TCP Rule | TCP | 2376 | 0.0.0.0/0 | Inbound | -| Custom TCP Rule | TCP | 2379-2380 | sg-xxx (rancher-nodes) | Inbound | -| Custom UDP Rule | UDP | 4789 | sg-xxx (rancher-nodes) | Inbound | -| Custom TCP Rule | TCP | 6443 | 0.0.0.0/0 | Inbound | -| Custom UDP Rule | UDP | 8472 | sg-xxx (rancher-nodes) | Inbound | -| Custom TCP Rule | TCP | 10250-10252 | sg-xxx (rancher-nodes) | Inbound | -| Custom TCP Rule | TCP | 10256 | sg-xxx (rancher-nodes) | Inbound | -| Custom TCP Rule | TCP | 30000-32767 | 0.0.0.0/0 | Inbound | -| Custom UDP Rule | UDP | 30000-32767 | 0.0.0.0/0 | Inbound | -| All traffic | All | All | 0.0.0.0/0 | Outbound | +| SSH | TCP | 22 | 0.0.0.0/0 and ::/0 | Inbound | +| HTTP | TCP | 80 | 0.0.0.0/0 and ::/0 | Inbound | +| Custom TCP Rule | TCP | 443 | 0.0.0.0/0 and ::/0 | Inbound | +| Custom TCP Rule | TCP | 2376 | 0.0.0.0/0 and ::/0 | Inbound | +| Custom TCP Rule | TCP | 6443 | 0.0.0.0/0 and ::/0 | Inbound | +| Custom TCP Rule | TCP | 179 | sg-xxx (rancher-nodes) | Inbound | +| Custom TCP Rule | TCP | 9345 | sg-xxx (rancher-nodes) | Inbound | +| Custom TCP Rule | TCP | 2379-2380 | sg-xxx (rancher-nodes) | Inbound | +| Custom TCP Rule | TCP | 10250-10252 | sg-xxx (rancher-nodes) | Inbound | +| Custom TCP Rule | TCP | 10256 | sg-xxx (rancher-nodes) | Inbound | +| Custom UDP Rule | UDP | 4789 | sg-xxx (rancher-nodes) | Inbound | +| Custom UDP Rule | UDP | 8472 | sg-xxx (rancher-nodes) | Inbound | +| Custom TCP Rule | TCP | 30000-32767 | 0.0.0.0/0 and ::/0 | Inbound | +| Custom UDP Rule | UDP | 30000-32767 | 0.0.0.0/0 and ::/0 | Inbound | +| All traffic | All | All | 0.0.0.0/0 and ::/0 | Outbound | ### Opening SUSE Linux Ports diff --git a/versioned_docs/version-2.13/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md b/versioned_docs/version-2.13/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md deleted file mode 100644 index 9747c6db81e..00000000000 --- a/versioned_docs/version-2.13/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: ClusterRole Aggregation ---- - - - - - -:::caution -ClusterRole aggregation is a highly experimental feature that changes the RBAC architecture used for RoleTemplates, ClusterRoleTemplateBindings and ProjectRoleTemplateBindings. **It is not supported for production environments**. This feature is meant exclusively for internal testing in v2.11 and v2.12. It is expected to be available as a beta for users in v2.13. -::: - -ClusterRole aggregation implements RoleTemplates, ClusterRoleTemplateBindings and ProjectRoleTemplateBindings using the Kubernetes feature [Aggregated ClusterRoles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles). The new architecture results in a net reduction in RBAC objects (Roles, RoleBindings, ClusterRoles and ClusterRoleBindings) both in the Rancher cluster and the downstream clusters. - -| Environment Variable Key | Default Value | Description | -| --- | --- | --- | -| `aggregated-roletemplates` | `false` | [Experimental] Make RoleTemplates use aggregation for generated RBAC roles. | - -The value of this feature flag is locked on installation, which shows up in the UI as a lock symbol beside the feature flag. That means the feature can only be set on the first ever installation of Rancher. After that, attempting to modify the value will be denied. diff --git a/versioned_docs/version-2.13/how-to-guides/advanced-user-guides/enable-experimental-features/role-template-aggregation.md b/versioned_docs/version-2.13/how-to-guides/advanced-user-guides/enable-experimental-features/role-template-aggregation.md new file mode 100644 index 00000000000..d5ec106cb2a --- /dev/null +++ b/versioned_docs/version-2.13/how-to-guides/advanced-user-guides/enable-experimental-features/role-template-aggregation.md @@ -0,0 +1,21 @@ +--- +title: RoleTemplate Aggregation +--- + + + + + +:::caution +RoleTemplate aggregation is an experimental feature in v2.13 that changes the RBAC architecture used for RoleTemplates, ClusterRoleTemplateBindings and ProjectRoleTemplateBindings. **It is not supported for production environments**. Breaking changes may occur between v2.13 and v2.14. +::: + +RoleTemplate aggregation implements RoleTemplates, ClusterRoleTemplateBindings and ProjectRoleTemplateBindings using the Kubernetes feature [Aggregated ClusterRoles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles). The new architecture results in a net reduction in RBAC objects (Roles, RoleBindings, ClusterRoles and ClusterRoleBindings) both in the Rancher cluster and the downstream clusters. + +For more information on how the feature can improve scalability and performance, please see the [Rancher Blog post](https://www.suse.com/c/rancher_blog/fewer-bindings-more-power-ranchers-rbac-boost-for-enhanced-performance-and-scalability/). + +| Environment Variable Key | Default Value | Description | +| --- | --- | --- | +| `aggregated-roletemplates` | `false` | [Beta] Make RoleTemplates use aggregation for generated RBAC roles. | + +The value of this feature flag is locked on installation, which shows up in the UI as a lock symbol beside the feature flag. That means the feature can only be set on the first ever installation of Rancher. After that, attempting to modify the value will be denied. diff --git a/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-amazon-cognito.md b/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-amazon-cognito.md index 58a82dfc38d..91ac8b6b51c 100644 --- a/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-amazon-cognito.md +++ b/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-amazon-cognito.md @@ -58,3 +58,7 @@ if the user has not yet logged in to Rancher. However, if the user has previousl ### You are not redirected to your authentication provider If you fill out the **Configure an Amazon Cognito account** form and click on **Enable**, and you are not redirected to Amazon Cognito, verify your Amazon Cognito configuration. + +## Configuring OIDC Single Logout (SLO) + + \ No newline at end of file diff --git a/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-azure-ad.md b/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-azure-ad.md index b17daeabbcd..a7f84745885 100644 --- a/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-azure-ad.md +++ b/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-azure-ad.md @@ -363,3 +363,22 @@ Since the filter prevents Rancher from seeing that the user belongs to an exclud >- If you don't wish to upgrade to v2.7.0+ after the Azure AD Graph API is retired, you'll need to either: - Use the built-in Rancher auth or - Use another third-party auth system and set that up in Rancher. Please see the [authentication docs](authentication-config.md) to learn how to configure other open authentication providers. + +## Azure AD Roles Claims + +Rancher supports the Roles claim provided by the Azure AD OIDC provider token, allowing for complete delegation of Role-Based Access Control (RBAC) to Azure AD. Previously, Rancher only processed the `Groups` claim to determine a user's `group` membership. This enhancement extends the logic to also include the Roles claim within the user's OIDC token. + +By including the Roles claim, administrators can: + +- Define specific high-level roles in Azure AD. +- Bind these Azure AD Roles directly to ProjectRoles or ClusterRoles within Rancher. +- Centralize and fully delegate access control decisions to the external OIDC provider. + +For example, consider the following role structure in Azure AD: + +| Azure AD Role Name | Members | +|--------------------|----------------| +| project-alpha-dev | User A, User C | + + +User A logs into Rancher via Azure AD. The OIDC token includes a Roles claim, [`project-alpha-dev`]. The Rancher logic processes the token, and the internal list of `groups`/roles for User A which includes `project-alpha-dev`. An administrator has created a Project Role Binding that maps the Azure AD Role `project-alpha-dev` to the Project Role `Dev Member` for Project Alpha. User A is automatically granted the `Dev Member` role in Project Alpha. diff --git a/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-generic-oidc.md b/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-generic-oidc.md index e0d2577e5ff..d8b8d0ab79a 100644 --- a/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-generic-oidc.md +++ b/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-generic-oidc.md @@ -7,60 +7,69 @@ description: Create an OpenID Connect (OIDC) client and configure Rancher to wor -If your organization uses an OIDC provider for user authentication, you can configure Rancher to allow login using Identity Provider (IdP) credentials. Rancher supports integration with the OpenID Connect (OIDC) protocol and the SAML protocol. Both implementations are functionally equivalent when used with Rancher. The following instructions describe how to configure Rancher to work using the OIDC protocol. +Generic OpenID Connect (OIDC) allows users to sign in to Rancher using their credentials from their existing account at an OIDC Identity Provider (IdP). Rancher supports integration with the OIDC protocol and the SAML protocol. Both implementations are functionally equivalent when used with Rancher. The following instructions describe how to create an OIDC client and configure Rancher to work with your authentication provider. Users can then sign into Rancher using their login from the OIDC IdP. ## Prerequisites -- In Rancher: - - Generic OIDC is disabled. +### Identity Provider + +In Rancher, Generic OIDC is disabled. :::note + Consult the documentation for your specific IdP to complete the listed prerequisites. + ::: -- In your IdP: - - Create a new client with the settings below: +#### OIDC Client + +In your IdP, create a new client with the settings below: + + Setting | Value + ------------|------------ + `Client ID` | (e.g. `rancher`) + `Name` | (e.g. `rancher`) + `Client Protocol` | `openid-connect` + `Access Type` | `confidential` + `Valid Redirect URI` | `https://yourRancherHostURL/verify-auth` + +In the new OIDC client, create mappers to expose the user's fields. + + 1. Create a new `Groups Mapper` with the settings below: Setting | Value ------------|------------ - `Client ID` | (e.g. `rancher`) - `Name` | (e.g. `rancher`) - `Client Protocol` | `openid-connect` - `Access Type` | `confidential` - `Valid Redirect URI` | `https://yourRancherHostURL/verify-auth` + `Name` | `Groups Mapper` + `Mapper Type` | `Group Membership` + `Token Claim Name` | `groups` + `Add to ID token` | `OFF` + `Add to access token` | `OFF` + `Add to user info` | `ON` - - In the new OIDC client, create mappers to expose the users fields. - - Create a new Groups Mapper with the settings below: + 1. Create a new `Client Audience` with the settings below: - Setting | Value - ------------|------------ - `Name` | `Groups Mapper` - `Mapper Type` | `Group Membership` - `Token Claim Name` | `groups` - `Add to ID token` | `OFF` - `Add to access token` | `OFF` - `Add to user info` | `ON` + Setting | Value + ------------|------------ + `Name` | `Client Audience` + `Mapper Type` | `Audience` + `Included Client Audience` | `CLIENT_NAME` + `Add to access token` | `ON` - - Create a new Client Audience with the settings below: + 1. Create a new `Groups Path` with the settings below. - Setting | Value - ------------|------------ - `Name` | `Client Audience` - `Mapper Type` | `Audience` - `Included Client Audience` | - `Add to access token` | `ON` + Setting | Value + ------------|------------ + `Name` | `Group Path` + `Mapper Type` | `Group Membership` + `Token Claim Name` | `full_group_path` + `Full group path` | `ON` + `Add to user info` | `ON` - - Create a new "Groups Path" with the settings below. +:::warning - Setting | Value - ------------|------------ - `Name` | `Group Path` - `Mapper Type` | `Group Membership` - `Token Claim Name` | `full_group_path` - `Full group path` | `ON` - `Add to user info` | `ON` +Rancher uses the value received in the "sub" claim to form the PrincipalID which is the unique identifier in Rancher. It is important to make this a value that is unique and immutable. -- Important: Rancher will use the value received in the "sub" claim to form the PrincipalID which is the unique identifier in Rancher. It is important to make this a value that will be unique and immutable. +::: ## Configuring Generic OIDC in Rancher @@ -80,7 +89,31 @@ Consult the documentation for your specific IdP to complete the listed prerequis **Result:** Rancher is configured to work with your provider using the OIDC protocol. Your users can now sign into Rancher using their IdP logins. -## Configuration Reference +### Custom Claim Mapping + +Custom claim mapping within the Generic OIDC configuration is supported for `name`, `email` and `groups` claims. This allows you to manually map these OIDC claims when your IdP doesn't use standard names in tokens. + +#### How a Custom Groups Claim Works + +A custom groups claim influences how user groups work: + +- If both the standard OIDC `groups` claim and the custom groups claim are present in the user's token, the custom claim supplements the list of groups provided by the standard claim. +- If there is no standard groups claim in the token, the groups listed in the custom claim will form the user's only groups. + +:::note +There is no search functionality available for groups sourced from a custom claim. To assign a role to one of these groups, you must manually enter the group's exact name into the RBAC field. +::: + +#### Configuring Custom Claims + +When on the **Configure an OIDC account** form: + +1. Select **Add custom claims**. +1. Add your custom `name`, `email` or `groups` claims to the appropriate **Custom Claims** field. + +For example, if your IdP sends `groups` in a claim called `custom_roles`, enter `custom_roles` into the **Custom Groups Claim** field. Rancher then supplements the standard OIDC `groups` claim or looks for that specific claim when processing the user's token. + +### Configuration Reference | Field | Description | | ------------------------- |----------------------------------------------------------------------------------------------------------------------------------------------------| @@ -91,6 +124,15 @@ Consult the documentation for your specific IdP to complete the listed prerequis | Rancher URL | The URL for your Rancher Server. | | Issuer | The URL of your IdP. If your provider has discovery enabled, Rancher uses the Issuer URL to fetch all of the required URLs. | | Auth Endpoint | The URL where users are redirected to authenticate. | + +#### Custom Claims + +| Custom Claim Field | Default OIDC Claim | Custom Claim Description | +| ------------- | ------------------ | ------------------------ | +| Custom Name Claim | `name` | The name of the claim in the OIDC token that contains the user's full name or display name. | +| Custom Email Claim | `email` | The name of the claim in the OIDC token that contains the user's email address. | +| Custom Groups Claim | `groups` | The name of the claim in the OIDC token that contains the user's group memberships (used for RBAC). | + ## Troubleshooting If you are experiencing issues while testing the connection to the OIDC server, first double-check the configuration options of your OIDC client. You can also inspect the Rancher logs to help pinpoint what's causing issues. Debug logs may contain more detailed information about the error. Please refer to [How can I enable debug logging](../../../../faq/technical-items.md#how-can-i-enable-debug-logging) in this documentation. @@ -108,3 +150,7 @@ If the `Issuer` and `Auth Endpoint` are generated incorrectly, open the **Config ### Error: "Invalid grant_type" In some cases, the "Invalid grant_type" error message may be misleading and is actually caused by setting the `Valid Redirect URI` incorrectly. + +## Configuring OIDC Single Logout (SLO) + + diff --git a/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-github-app.md b/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-github-app.md new file mode 100644 index 00000000000..5734108f396 --- /dev/null +++ b/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-github-app.md @@ -0,0 +1,84 @@ +--- +title: Configure GitHub App +--- + + + + + +In environments using GitHub, you can configure the new GitHub App authentication provider in Rancher, which allows users to authenticate against a GitHub Organization account using a dedicated [GitHub App](https://docs.github.com/en/apps/overview). This new provider runs alongside the existing standard GitHub authentication provider, offering increased security and better management of permissions based on GitHub Organization teams. + +## Prerequisites + +:::warning + +The GitHub App authentication provider only works with [GitHub Organization accounts](https://docs.github.com/en/get-started/learning-about-github/types-of-github-accounts#organization-accounts). It does not function with individual [GitHub User accounts](https://docs.github.com/en/get-started/learning-about-github/types-of-github-accounts#user-accounts). + +::: + +Before configuring the provider in Rancher, you must first create a GitHub App for your organization, generate a client secret for your GitHub App and generate a private key for your GitHub App. Refer to [Registering a GitHub App](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/registering-a-github-app) for details. + +### Create GitHub App + +1. Open your [GitHub organization settings](https://github.com/settings/organizations). +1. To the right of the organization, select **Settings**. +1. In the left sidebar, click **Developer settings** > **GitHub Apps**. +1. Click **New Github App**. +1. Fill in the GitHub App configuration form with these values: + + - **GitHub App name**: Anything you like, e.g. `My Rancher`. + - **Application description**: Optional, can be left blank. + - **Homepage URL**: `https://localhost:8443`. + - **Callback URL**: `https://localhost:8443/verify-auth`. + +1. Select **Create Github App**. + +### Generate a Client Secret + +Generate a [client secret](https://docs.github.com/en/rest/authentication/authenticating-to-the-rest-api#using-basic-authentication) on the settings page for your app. + +1. Go to your GitHub App. +1. Next to **Client Secrets**, select **Generate a new client secret**. + +### Generate a Private Key + +Generate a [private key](https://docs.github.com/en/enterprise-server/apps/creating-github-apps/authenticating-with-a-github-app/managing-private-keys-for-github-apps#generating-private-keys) on the settings page for your app. + +1. Go to your GitHub App. +1. Next to **Private Keys**, click **Generate a private key**. + +## GitHub App Auth Provider Configuration + +To set up the GitHub App Auth Provider in Rancher, follow these steps: + +1. Navigate to the **Users & Authentication** section in the Rancher UI. +1. Select **Auth Providers**. +1. Select the **GitHub App** tile. +1. Gather and enter the details of your GitHub App into the configuration form fields. + + | Field Name | Description | + | ---------- | ----------- | + | **Client ID** (Required) | The client ID of your GitHub App. | + | **Client Secret** (Required) | The client secret of your GitHub App. | + | **GitHub App ID** (Required) | The numeric ID associated with your GitHub App. | + | **Installation ID** (Optional) | If you want to restrict authentication to a single installation of the App, provide its specific numeric Installation ID. | + | **Private Key** (Required) | The contents of the Private Key file (in PEM format) generated by GitHub for your App. | + + :::note + + A GitHub App can be installed across multiple Organizations, and each installation has a unique Installation ID. If you want to restrict authentication to a single App installation and GitHub Organization, provide the Installation ID during configuration. If you do not provide an Installation ID, the user's permissions are aggregated across all installations. + + ::: + +1. Select **Enable**. Rancher attempts to validate the credentials and, upon success, activates the GitHub App provider. + +After it is enabled, users logging in via the GitHub App provider are automatically identified and you can leverage your GitHub Organization's teams and users to configure Role-Based Access Control (RBAC) and to assign permissions to projects and clusters. + +:::note + +Ensure that the users and teams you intend to use for authorization exist within the GitHub organization managed by the App. + +::: + +- **Users**: Individual GitHub users who are members of the GitHub Organization where the App is installed can log in. +- **Groups**: GitHub Organization teams are mapped to Rancher Groups, allowing you to assign entire teams permissions within Rancher projects and clusters. diff --git a/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md b/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md index da031a96a29..646bf3ee8b6 100644 --- a/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md +++ b/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc.md @@ -203,3 +203,7 @@ To resolve this, you can either: 3. Save your changes. 2. Reconfigure your Keycloak OIDC setup using a user that is assigned to at least one group in Keycloak. + +## Configuring OIDC Single Logout (SLO) + + \ No newline at end of file diff --git a/versioned_docs/version-2.13/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md b/versioned_docs/version-2.13/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md index afc0f04adce..9438d0dc8db 100644 --- a/versioned_docs/version-2.13/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md +++ b/versioned_docs/version-2.13/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md @@ -120,6 +120,18 @@ For a breakdown of the port requirements for etcd nodes, controlplane nodes, and Details on which ports are used in each situation are found under [Downstream Cluster Port Requirements](../../../getting-started/installation-and-upgrade/installation-requirements/port-requirements.md#downstream-kubernetes-cluster-nodes). +### IPv6 Address Requirements + +Rancher supports clusters configured with IPv4-only, IPv6-only, or dual-stack networking. + +You must provision each node with at least one valid IPv4 address, one IPv6 address, or both, according to the cluster networking configuration. + +For IPv6-only environments, ensure you correctly configure the operating system and that the `/etc/hosts` file includes a valid localhost entry, for example: + +``` +::1 localhost +``` + :::caution You should never register a node with the same hostname or IP address as an existing node. Doing so causes RKE to prevent the node from joining, and provisioning to hang. This can occur for both node driver and custom clusters. If a node must reuse a hostname or IP of an existing node, you must set the `hostname_override` [RKE option](https://rke.docs.rancher.com/config-options/nodes#overriding-the-hostname) before registering the node, so that it can join correctly. diff --git a/versioned_docs/version-2.13/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-cloud-providers/amazon.md b/versioned_docs/version-2.13/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-cloud-providers/amazon.md index b49ca3f3ca3..fa19e811043 100644 --- a/versioned_docs/version-2.13/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-cloud-providers/amazon.md +++ b/versioned_docs/version-2.13/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-cloud-providers/amazon.md @@ -299,7 +299,7 @@ rancher_kubernetes_engine_config: useInstanceMetadataHostname: true ``` -You must not enable `useInstanceMetadataHostname` when setting custom values for `hostname-override` for custom clusters. When you create a [custom cluster](../../../../reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/use-existing-nodes.md), add [`--node-name`](../../../../reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md) to the `docker run` node registration command to set `hostname-override` — for example, `"$(hostname -f)"`. This can be done manually or by using **Show Advanced Options** in the Rancher UI to add **Node Name**. +You must not enable `useInstanceMetadataHostname` when setting custom values for `hostname-override` for custom clusters. When you create a [custom cluster](../../../../reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/use-existing-nodes.md), add `--node-name` to the `docker run` node registration command to set `hostname-override` — for example, `"$(hostname -f)"`. This can be done manually or by using **Show Advanced Options** in the Rancher UI to add **Node Name**. 2. Select the cloud provider. diff --git a/versioned_docs/version-2.13/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/use-windows-clusters/use-windows-clusters.md b/versioned_docs/version-2.13/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/use-windows-clusters/use-windows-clusters.md index 49f642caecc..0225b40c65e 100644 --- a/versioned_docs/version-2.13/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/use-windows-clusters/use-windows-clusters.md +++ b/versioned_docs/version-2.13/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/use-windows-clusters/use-windows-clusters.md @@ -103,11 +103,11 @@ The `worker` nodes, which is where your workloads will be deployed on, will typi We recommend the minimum three-node architecture listed in the table below, but you can always add more Linux and Windows workers to scale up your cluster for redundancy: -| Node | Operating System | Kubernetes Cluster Role(s) | Purpose | -| ------ | --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | -| Node 1 | Linux (Ubuntu Server 18.04 recommended) | Control plane, etcd, worker | Manage the Kubernetes cluster | -| Node 2 | Linux (Ubuntu Server 18.04 recommended) | Worker | Support the Rancher Cluster agent, Metrics server, DNS, and Ingress for the cluster | -| Node 3 | Windows (Windows Server core version 1809 or above) | Worker | Run your Windows containers | +| Node | Operating System | Kubernetes Cluster Role(s) | Purpose | +|--------|----------------------------------------------------------------------------------------|-----------------------------|-------------------------------------------------------------------------------------| +| Node 1 | Linux (Ubuntu Server 18.04 recommended) | Control plane, etcd, worker | Manage the Kubernetes cluster | +| Node 2 | Linux (Ubuntu Server 18.04 recommended) | Worker | Support the Rancher Cluster agent, Metrics server, DNS, and Ingress for the cluster | +| Node 3 | Windows (Windows Server core version 1809 or above required, version 2022 recommended) | Worker | Run your Windows containers | ### Container Requirements @@ -126,8 +126,6 @@ If you are using the GCE (Google Compute Engine) cloud provider, you must do the This tutorial describes how to create a Rancher-provisioned cluster with the three nodes in the [recommended architecture.](#recommended-architecture) -When you provision a cluster with Rancher on existing nodes, you add nodes to the cluster by installing the [Rancher agent](../../../../reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md) on each one. To create or edit your cluster from the Rancher UI, run the **Registration Command** on each server to add it to your cluster. - To set up a cluster with support for Windows nodes and containers, you will need to complete the tasks below. ### 1. Provision Hosts @@ -142,15 +140,15 @@ Your hosts can be: You will provision three nodes: -- One Linux node, which manages the Kubernetes control plane and stores your `etcd` +- One Linux node, which manages the Kubernetes control plane, stores your `etcd`, and optionally be a worker node - A second Linux node, which will be another worker node - The Windows node, which will run your Windows containers as a worker node -| Node | Operating System | -| ------ | ------------------------------------------------------------ | -| Node 1 | Linux (Ubuntu Server 18.04 recommended) | -| Node 2 | Linux (Ubuntu Server 18.04 recommended) | -| Node 3 | Windows (Windows Server core version 1809 or above required) | +| Node | Operating System | +|--------|----------------------------------------------------------------------------------------| +| Node 1 | Linux (Ubuntu Server 18.04 recommended) | +| Node 2 | Linux (Ubuntu Server 18.04 recommended) | +| Node 3 | Windows (Windows Server core version 1809 or above required, version 2022 recommended) | If your nodes are hosted by a **Cloud Provider** and you want automation support such as loadbalancers or persistent storage devices, your nodes have additional configuration requirements. For details, see [Selecting Cloud Providers.](../set-up-cloud-providers/set-up-cloud-providers.md) @@ -164,11 +162,11 @@ The instructions for creating a Windows cluster on existing nodes are very simil 1. Enter a name for your cluster in the **Cluster Name** field. 1. In the **Kubernetes Version** dropdown menu, select a supported Kubernetes version. 1. In the **Container Network** field, select either **Calico** or **Flannel**. -1. Click **Next**. +1. Click **Create**. ### 3. Add Nodes to the Cluster -This section describes how to register your Linux and Worker nodes to your cluster. You will run a command on each node, which will install the Rancher agent and allow Rancher to manage each node. +This section describes how to register your Linux and Worker nodes to your cluster. You will run a command on each node, which will install the rancher system agent and allow Rancher to manage each node. #### Add Linux Master Node @@ -177,23 +175,18 @@ In this section, we fill out a form on the Rancher UI to get a custom command to The first node in your cluster should be a Linux host that has both the **Control Plane** and **etcd** roles. At a minimum, both of these roles must be enabled for this node, and this node must be added to your cluster before you can add Windows hosts. 1. After cluster creation, navigate to the **Registration** tab. -1. In **Step 1** under the **Node Role** section, select at least **etcd** and **Control Plane**. We recommend selecting all three. -1. Optional: If you click **Show advanced options,** you can customize the settings for the [Rancher agent](../../../../reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md) and [node labels.](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) +1. In **Step 1** under the **Node Role** section, select all three roles. Although you can choose only the **etcd** and **Control Plane** roles, we recommend selecting all three. +1. Optional: If you click **Show Advanced**, you can configure additional settings such as specifying the IP address(es), overriding the node hostname, or adding [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) or [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) to the node. 1. In **Step 2**, under the **Registration** section, copy the command displayed on the screen to your clipboard. 1. SSH into your Linux host and run the command that you copied to your clipboard. -**Result:** +**Results:** -Your cluster is created and assigned a state of **Provisioning**. Rancher is standing up your cluster. +Your cluster is created and assigned a state of **Updating**. Rancher is standing up your cluster. -You can access your cluster after its state is updated to **Active**. +It may take a few minutes for the node to register and appear under the **Machines** tab. -**Active** clusters are assigned two Projects: - -- `Default`, containing the `default` namespace -- `System`, containing the `cattle-system`, `ingress-nginx`, `kube-public`, and `kube-system` namespaces - -It may take a few minutes for the node to be registered in your cluster. +You’ll be able to access the cluster once its state changes to **Active**. #### Add Linux Worker Node @@ -203,11 +196,13 @@ After the initial provisioning of your cluster, your cluster only has a single L 1. After cluster creation, navigate to the **Registration** tab. 1. In **Step 1** under the **Node Role** section, select **Worker**. -1. Optional: If you click **Show advanced options,** you can customize the settings for the [Rancher agent](../../../../reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md) and [node labels.](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) +1. Optional: If you click **Show Advanced**, you can configure additional settings such as specifying the IP address(es), overriding the node hostname, or to add [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) or [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) to the node. 1. In **Step 2**, under the **Registration** section, copy the command displayed on the screen to your clipboard. 1. SSH into your Linux host and run the command that you copied to your clipboard. -**Result:** The **Worker** role is installed on your Linux host, and the node registers with Rancher. It may take a few minutes for the node to be registered in your cluster. +**Results:** + +The **Worker** role is installed on your Linux host, and the node registers with Rancher. It may take a few minutes for the node to be registered in your cluster. :::note @@ -216,7 +211,7 @@ Taints on Linux Worker Nodes For each Linux worker node added into the cluster, the following taints will be added to Linux worker node. By adding this taint to the Linux worker node, any workloads added to the Windows cluster will be automatically scheduled to the Windows worker node. If you want to schedule workloads specifically onto the Linux worker node, you will need to add tolerations to those workloads. | Taint Key | Taint Value | Taint Effect | -| -------------- | ----------- | ------------ | +|----------------|-------------|--------------| | `cattle.io/os` | `linux` | `NoSchedule` | ::: @@ -231,12 +226,16 @@ The registration command to add the Windows workers only appears after the clust 1. After cluster creation, navigate to the **Registration** tab. 1. In **Step 1** under the **Node Role** section, select **Worker**. -1. Optional: If you click **Show advanced options,** you can customize the settings for the [Rancher agent](../../../../reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md) and [node labels.](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) +1. Optional: If you click **Show Advanced**, you can configure additional settings such as specifying the IP address(es), overriding the node hostname, or adding [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) or [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) to the node. 1. In **Step 2**, under the **Registration** section, copy the command for Windows workers displayed on the screen to your clipboard. -1. Log in to your Windows host using your preferred tool, such as [Microsoft Remote Desktop](https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients). Run the command copied to your clipboard in the **Command Prompt (CMD)**. +1. Log in to your Windows host using your preferred tool, such as [Microsoft Remote Desktop](https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients). Run the command copied to your clipboard in the **PowerShell Console** as an Administrator. 1. Optional: Repeat these instructions if you want to add more Windows nodes to your cluster. -**Result:** The **Worker** role is installed on your Windows host, and the node registers with Rancher. It may take a few minutes for the node to be registered in your cluster. You now have a Windows Kubernetes cluster. +**Results:** + +The **Worker** role is installed on your Windows host, and the node registers with Rancher. It may take a few minutes for the node to be registered in your cluster. + +You now have a Windows Kubernetes cluster. ### Optional Next Steps diff --git a/versioned_docs/version-2.13/how-to-guides/new-user-guides/launch-kubernetes-with-rancher/use-new-nodes-in-an-infra-provider/create-an-amazon-ec2-cluster.md b/versioned_docs/version-2.13/how-to-guides/new-user-guides/launch-kubernetes-with-rancher/use-new-nodes-in-an-infra-provider/create-an-amazon-ec2-cluster.md index 11231c88c5a..07b28f311fa 100644 --- a/versioned_docs/version-2.13/how-to-guides/new-user-guides/launch-kubernetes-with-rancher/use-new-nodes-in-an-infra-provider/create-an-amazon-ec2-cluster.md +++ b/versioned_docs/version-2.13/how-to-guides/new-user-guides/launch-kubernetes-with-rancher/use-new-nodes-in-an-infra-provider/create-an-amazon-ec2-cluster.md @@ -20,7 +20,8 @@ Then you will create an EC2 cluster in Rancher, and when configuring the new clu - [Example IAM Policy](#example-iam-policy) - [Example IAM Policy with PassRole](#example-iam-policy-with-passrole) (needed if you want to use [Kubernetes Cloud Provider](../../kubernetes-clusters-in-rancher-setup/set-up-cloud-providers/set-up-cloud-providers.md) or want to pass an IAM Profile to an instance) - [Example IAM Policy to allow encrypted EBS volumes](#example-iam-policy-to-allow-encrypted-ebs-volumes) -- **IAM Policy added as Permission** to the user. See [Amazon Documentation: Adding Permissions to a User (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) how to attach it to an user. +- **IAM Policy added as Permission** to the user. See [Amazon Documentation: Adding Permissions to a User (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) how to attach it to a user. +- **IPv4-only or IPv6-only or dual-stack subnet and/or VPC** where nodes can be provisioned and assigned IPv4 and/or IPv6 addresses. See [Amazon Documentation: IPv6 support for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-migrate-ipv6.html). ## Creating an EC2 Cluster diff --git a/versioned_docs/version-2.13/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md b/versioned_docs/version-2.13/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md index f01b4856810..27ab8e1b60d 100644 --- a/versioned_docs/version-2.13/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md +++ b/versioned_docs/version-2.13/integrations-in-rancher/cloud-marketplace/aws-cloud-marketplace/install-adapter.md @@ -19,10 +19,7 @@ In order to deploy and run the adapter successfully, you need to ensure its vers | Rancher Version | Adapter Version | |-----------------|------------------| -| v2.12.3 | 107.0.0+up7.0.0 | -| v2.12.2 | 107.0.0+up7.0.0 | -| v2.12.1 | 107.0.0+up7.0.0 | -| v2.12.0 | 107.0.0+up7.0.0 | +| v2.13.0 | 108.0.0+up8.0.0 | ### 1. Gain Access to the Local Cluster diff --git a/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/amazon-ec2.md b/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/amazon-ec2.md index 4640d142697..e9ac92a352e 100644 --- a/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/amazon-ec2.md +++ b/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/amazon-ec2.md @@ -80,3 +80,18 @@ Use [Instance Metadata Service Version 2 (IMDSv2)](https://docs.aws.amazon.com/A Add metadata using [tags](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html) to categorize resources. +### IPv6 Address Count + +Specify how many IPv6 addresses to assign to the instance’s network interface. + +### IPv6 Address Only + +Enable this option if the instance should use IPv6 exclusively. IPv6-only VPCs or subnets require this. When enabled, the instance will have IPv6 as its sole address, and the IPv6 Address Count must be greater than zero. + +### HTTP Protocol IPv6 + +Enable or disable IPv6 endpoints for the instance metadata service. + +### Enable Primary IPv6 + +Enable this option to designate the first assigned IPv6 address as the primary address. This ensures a consistent, non-changing IPv6 address for the instance. It does not control whether IPv6 addresses are assigned. diff --git a/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/digitalocean.md b/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/digitalocean.md index 634c7f48561..0c8662b46a3 100644 --- a/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/digitalocean.md +++ b/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/digitalocean.md @@ -28,6 +28,8 @@ Enable the DigitalOcean agent for additional [monitoring](https://docs.digitaloc Enable IPv6 for Droplets. +For more information, refer to the [Digital Ocean IPv6 documentation](https://docs.digitalocean.com/products/networking/ipv6). + ### Private Networking Enable private networking for Droplets. diff --git a/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/google-gce.md b/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/google-gce.md index 6c320f3b3d4..85c77d64b17 100644 --- a/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/google-gce.md +++ b/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/google-gce.md @@ -71,7 +71,7 @@ Tags is a list of _network tags_, which can be used to associate preexisting Fir ### Labels -A comma seperated list of custom labels to be attached to all VMs within a given machine pool. Unlike Tags, Labels do not influence networking behavior and only serve to organize cloud resources. +A comma separated list of custom labels to be attached to all VMs within a given machine pool. Unlike Tags, Labels do not influence networking behavior and only serve to organize cloud resources. ## Advanced Options diff --git a/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/machine-configuration.md b/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/machine-configuration.md index cff1dada268..b9515bade61 100644 --- a/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/machine-configuration.md +++ b/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/machine-configuration/machine-configuration.md @@ -6,4 +6,4 @@ title: Machine Configuration -Machine configuration is the arrangement of resources assigned to a virtual machine. Please see the docs for [Amazon EC2](amazon-ec2.md), [DigitalOcean](digitalocean.md), and [Azure](azure.md) to learn more. \ No newline at end of file +Machine configuration is the arrangement of resources assigned to a virtual machine. Please see the docs for [Amazon EC2](amazon-ec2.md), [DigitalOcean](digitalocean.md), [Google GCE](google-gce.md), and [Azure](azure.md) to learn more. diff --git a/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/node-template-configuration/node-template-configuration.md b/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/node-template-configuration/node-template-configuration.md index e0f9ba4105d..693a225a9f7 100644 --- a/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/node-template-configuration/node-template-configuration.md +++ b/versioned_docs/version-2.13/reference-guides/cluster-configuration/downstream-cluster-configuration/node-template-configuration/node-template-configuration.md @@ -6,4 +6,6 @@ title: Node Template Configuration + + To learn about node template config, refer to [EC2 Node Template Configuration](amazon-ec2.md), [DigitalOcean Node Template Configuration](digitalocean.md), [Azure Node Template Configuration](azure.md), [vSphere Node Template Configuration](vsphere.md), and [Nutanix Node Template Configuration](nutanix.md). diff --git a/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/gke-cluster-configuration/gke-cluster-configuration.md b/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/gke-cluster-configuration/gke-cluster-configuration.md index 43258e491c4..a604d75ef3d 100644 --- a/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/gke-cluster-configuration/gke-cluster-configuration.md +++ b/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/gke-cluster-configuration/gke-cluster-configuration.md @@ -63,7 +63,15 @@ Enable network policy enforcement on the cluster. A network policy defines the l _Mutable: yes_ -choose whether to enable or disable inter-project communication. Note that enabling Project Network Isolation will automatically enable Network Policy and Network Policy Config, but not vice versa. +Choose whether to enable or disable inter-project communication. + +#### Imported Clusters + +For imported clusters, Project Network Isolation (PNI) requires Kubernetes Network Policy to be enabled on the cluster beforehand. +For clusters created by Rancher, Rancher enables Kubernetes Network Policy automatically. + +1. In GKE, enable Network Policy at the cluster level. Refer to the [official GKE guide](https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy) for instructions. +1. After enabling Network Policy, import the cluster into Rancher and enable PNI for project-level isolation. ### Node Ipv4 CIDR Block diff --git a/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/k3s-cluster-configuration.md b/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/k3s-cluster-configuration.md index 6ec07fe1906..cd185c88983 100644 --- a/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/k3s-cluster-configuration.md +++ b/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/k3s-cluster-configuration.md @@ -13,7 +13,7 @@ This section covers the configuration options that are available in Rancher for You can configure the Kubernetes options one of two ways: - [Rancher UI](#configuration-options-in-the-rancher-ui): Use the Rancher UI to select options that are commonly customized when setting up a Kubernetes cluster. -- [Cluster Config File](#cluster-config-file-reference): Instead of using the Rancher UI to choose Kubernetes options for the cluster, advanced users can create a K3s config file. Using a config file allows you to set any of the [options](https://rancher.com/docs/k3s/latest/en/installation/install-options/) available in an K3s installation. +- [Cluster Config File](#cluster-config-file-reference): Instead of using the Rancher UI to choose Kubernetes options for the cluster, advanced users can create a K3s config file. Using a config file lets you set any of the [options](https://rancher.com/docs/k3s/latest/en/installation/install-options/) available during a K3s installation. ## Editing Clusters in the Rancher UI @@ -32,7 +32,7 @@ To edit your cluster, ### Editing Clusters in YAML -For a complete reference of configurable options for K3s clusters in YAML, see the [K3s documentation.](https://rancher.com/docs/k3s/latest/en/installation/install-options/) +For a complete reference of configurable options for K3s clusters in YAML, see the [K3s documentation](https://docs.k3s.io/installation/configuration). To edit your cluster with YAML: @@ -48,7 +48,8 @@ This subsection covers generic machine pool configurations. For specific infrast - [Azure](../downstream-cluster-configuration/machine-configuration/azure.md) - [DigitalOcean](../downstream-cluster-configuration/machine-configuration/digitalocean.md) -- [EC2](../downstream-cluster-configuration/machine-configuration/amazon-ec2.md) +- [Amazon EC2](../downstream-cluster-configuration/machine-configuration/amazon-ec2.md) +- [Google GCE](../downstream-cluster-configuration/machine-configuration/google-gce.md) ##### Pool Name @@ -86,9 +87,9 @@ Add [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-tolerat #### Basics ##### Kubernetes Version -The version of Kubernetes installed on your cluster nodes. Rancher packages its own version of Kubernetes based on [hyperkube](https://github.com/rancher/hyperkube). +The version of Kubernetes installed on your cluster nodes. -For more detail, see [Upgrading Kubernetes](../../../getting-started/installation-and-upgrade/upgrade-and-roll-back-kubernetes.md). +For details on upgrading or rolling back Kubernetes, refer to [this guide](../../../getting-started/installation-and-upgrade/upgrade-and-roll-back-kubernetes.md). ##### Pod Security Admission Configuration Template @@ -108,7 +109,7 @@ Option to enable or disable [SELinux](https://rancher.com/docs/k3s/latest/en/adv ##### CoreDNS -By default, [CoreDNS](https://coredns.io/) is installed as the default DNS provider. If CoreDNS is not installed, an alternate DNS provider must be installed yourself. Refer to the [K3s documentation](https://rancher.com/docs/k3s/latest/en/networking/#coredns) for details.. +By default, [CoreDNS](https://coredns.io/) is installed as the default DNS provider. If CoreDNS is not installed, an alternate DNS provider must be installed yourself. Refer to the [K3s documentation](https://rancher.com/docs/k3s/latest/en/networking/#coredns) for details. ##### Klipper Service LB @@ -148,15 +149,49 @@ Option to choose whether to expose etcd metrics to the public or only within the ##### Cluster CIDR -IPv4/IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16). +IPv4/IPv6 network CIDRs to use for pod IPs (default: `10.42.0.0/16`). + +Example values: + +- IPv4-only: `10.42.0.0/16` +- IPv6-only: `2001:cafe:42::/56` +- Dual-stack: `10.42.0.0/16,2001:cafe:42::/56` + +For additional requirements and limitations related to dual-stack or IPv6-only networking, see the following resources: + +- [K3s documentation: Dual-stack (IPv4 + IPv6) Networking](https://docs.k3s.io/networking/basic-network-options#dual-stack-ipv4--ipv6-networking) +- [K3s documentation: Single-stack IPv6 Networking](https://docs.k3s.io/networking/basic-network-options#single-stack-ipv6-networking) + +:::caution + +You must configure the Service CIDR when you first create the cluster. You cannot enable the Service CIDR on an existing cluster after it starts. + +::: ##### Service CIDR -IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16). +IPv4/IPv6 network CIDRs to use for service IPs (default: `10.43.0.0/16`). + +Example values: + +- IPv4-only: `10.43.0.0/16` +- IPv6-only: `2001:cafe:43::/112` +- Dual-stack: `10.43.0.0/16,2001:cafe:43::/112` + +For additional requirements and limitations related to dual-stack or IPv6-only networking, see the following resources: + +- [K3s documentation: Dual-stack (IPv4 + IPv6) Networking](https://docs.k3s.io/networking/basic-network-options#dual-stack-ipv4--ipv6-networking) +- [K3s documentation: Single-stack IPv6 Networking](https://docs.k3s.io/networking/basic-network-options#single-stack-ipv6-networking) + +:::caution + +You must configure the Service CIDR when you first create the cluster. You cannot enable the Service CIDR on an existing cluster after it starts. + +::: ##### Cluster DNS -IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10). +IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: `10.43.0.10`). ##### Cluster Domain @@ -168,11 +203,11 @@ Option to change the range of ports that can be used for [NodePort services](htt ##### Truncate Hostnames -Option to truncate hostnames to 15 characters or less. You can only set this field during the initial creation of the cluster. You can't enable or disable the 15 character limit after cluster creation. +Option to truncate hostnames to 15 characters or fewer. You can only set this field during the initial creation of the cluster. You can't enable or disable the 15-character limit after cluster creation. This setting only affects machine-provisioned clusters. Since custom clusters set hostnames during their own node creation process, which occurs outside of Rancher, this field doesn't restrict custom cluster hostname length. -Truncating hostnames in a cluster improves compatibility with Windows-based systems. Although Kubernetes allows hostnames up to 63 characters in length, systems that use NetBIOS restrict hostnames to 15 characters or less. +Truncating hostnames in a cluster improves compatibility with Windows-based systems. Although Kubernetes allows hostnames up to 63 characters in length, systems that use NetBIOS restrict hostnames to 15 characters or fewer. ##### TLS Alternate Names @@ -186,6 +221,33 @@ For more detail on how an authorized cluster endpoint works and why it is used, We recommend using a load balancer with the authorized cluster endpoint. For details, refer to the [recommended architecture section.](../../rancher-manager-architecture/architecture-recommendations.md#architecture-for-an-authorized-cluster-endpoint-ace) +##### Stack Preference + +Choose the networking stack for the cluster. This option affects: + +- The address used for health and readiness probes of components such as Calico, etcd, kube-apiserver, kube-scheduler, kube-controller-manager, and kubelet. +- The server URL in the `authentication-token-webhook-config-file` for the Authorized Cluster Endpoint. +- The `advertise-client-urls` setting for etcd during snapshot restoration. + +Options are `ipv4`, `ipv6`, `dual`: + +- When set to `ipv4`, the cluster uses `127.0.0.1` +- When set to `ipv6`, the cluster uses `[::1]` +- When set to `dual`, the cluster uses `localhost` + +The stack preference must match the cluster’s networking configuration: + +- Set to `ipv4` for IPv4-only clusters +- Set to `ipv6` for IPv6-only clusters +- Set to `dual` for dual-stack clusters + +:::caution + +Ensuring the loopback address configuration is correct is critical for successful cluster provisioning. +For more information, refer to the [Node Requirements](../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md) page. + +::: + #### Registries Select the image repository to pull Rancher images from. For more details and configuration options, see the [K3s documentation](https://rancher.com/docs/k3s/latest/en/installation/private-registry/). diff --git a/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/rke2-cluster-configuration.md b/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/rke2-cluster-configuration.md index f1c66ff4960..a8404dbfece 100644 --- a/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/rke2-cluster-configuration.md +++ b/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/rke2-cluster-configuration.md @@ -32,7 +32,7 @@ To edit your cluster, ### Editing Clusters in YAML -For a complete reference of configurable options for K3s clusters in YAML, see the [K3s documentation.](https://rancher.com/docs/k3s/latest/en/installation/install-options/) +For a complete reference of configurable options for RKE2 clusters in YAML, see the [RKE2 documentation](https://docs.rke2.io/install/configuration). To edit your cluster in YAML: @@ -48,7 +48,8 @@ This subsection covers generic machine pool configurations. For specific infrast - [Azure](../downstream-cluster-configuration/machine-configuration/azure.md) - [DigitalOcean](../downstream-cluster-configuration/machine-configuration/digitalocean.md) -- [EC2](../downstream-cluster-configuration/machine-configuration/amazon-ec2.md) +- [Amazon EC2](../downstream-cluster-configuration/machine-configuration/amazon-ec2.md) +- [Google GCE](../downstream-cluster-configuration/machine-configuration/google-gce.md) ##### Pool Name @@ -86,9 +87,9 @@ Add [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-tolerat #### Basics ##### Kubernetes Version -The version of Kubernetes installed on your cluster nodes. Rancher packages its own version of Kubernetes based on [hyperkube](https://github.com/rancher/hyperkube). +The version of Kubernetes installed on your cluster nodes. -For more detail, see [Upgrading Kubernetes](../../../getting-started/installation-and-upgrade/upgrade-and-roll-back-kubernetes.md). +For details on upgrading or rolling back Kubernetes, refer to [this guide](../../../getting-started/installation-and-upgrade/upgrade-and-roll-back-kubernetes.md). ##### Container Network Provider @@ -105,20 +106,19 @@ Out of the box, Rancher is compatible with the following network providers: - [Canal](https://github.com/projectcalico/canal) - [Cilium](https://cilium.io/)* - [Calico](https://docs.projectcalico.org/v3.11/introduction/) +- [Flannel](https://github.com/flannel-io/flannel) - [Multus](https://github.com/k8snetworkplumbingwg/multus-cni) \* When using [project network isolation](#project-network-isolation) in the [Cilium CNI](../../../faq/container-network-interface-providers.md#cilium), it is possible to enable cross-node ingress routing. Click the [CNI provider docs](../../../faq/container-network-interface-providers.md#ingress-routing-across-nodes-in-cilium) to learn more. -For more details on the different networking providers and how to configure them, please view our [RKE2 documentation](https://docs.rke2.io/install/network_options). +For more details on the different networking providers and how to configure them, please view our [RKE2 documentation](https://docs.rke2.io/networking/basic_network_options). -###### Dual-stack Networking - -[Dual-stack](https://docs.rke2.io/install/network_options#dual-stack-configuration) networking is supported for all CNI providers. To configure RKE2 in dual-stack mode, set valid IPv4/IPv6 CIDRs for your [Cluster CIDR](#cluster-cidr) and/or [Service CIDR](#service-cidr). - -###### Dual-stack Additional Configuration +:::caution When using `cilium` or `multus,cilium` as your container network interface provider, ensure the **Enable IPv6 Support** option is also enabled. +::: + ##### Cloud Provider You can configure a [Kubernetes cloud provider](../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-cloud-providers/set-up-cloud-providers.md). If you want to use dynamically provisioned [volumes and storage](../../../how-to-guides/new-user-guides/manage-clusters/create-kubernetes-persistent-storage/create-kubernetes-persistent-storage.md) in Kubernetes, typically you must select the specific cloud provider in order to use it. For example, if you want to use Amazon EBS, you would need to select the `aws` cloud provider. @@ -181,27 +181,62 @@ Option to choose whether to expose etcd metrics to the public or only within the ##### Cluster CIDR -IPv4 and/or IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16). +IPv4 and/or IPv6 network CIDRs to use for pod IPs (default: `10.42.0.0/16`). -###### Dual-stack Networking +Example values: -To configure [dual-stack](https://docs.rke2.io/install/network_options#dual-stack-configuration) mode, enter a valid IPv4/IPv6 CIDR. For example `10.42.0.0/16,2001:cafe:42:0::/56`. +- IPv4-only: `10.42.0.0/16` +- IPv6-only: `2001:cafe:42::/56` +- Dual-stack: `10.42.0.0/16,2001:cafe:42::/56` -[Additional configuration](#dual-stack-additional-configuration) is required when using `cilium` or `multus,cilium` as your [container network](#container-network-provider) interface provider. + +For additional requirements and limitations related to dual-stack or IPv6-only networking, see the following resources: + +- [RKE2 documentation: Dual-stack configuration](https://docs.rke2.io/networking/basic_network_options#dual-stack-configuration) +- [RKE2 documentation: IPv6-only setup](https://docs.rke2.io/networking/basic_network_options#ipv6-setup) + +:::caution + +You must configure the Service CIDR when you first create the cluster. You cannot enable the Service CIDR on an existing cluster after it starts. + +::: + +:::caution + +When using `cilium` or `multus,cilium` as your container network interface provider, ensure the **Enable IPv6 Support** option is also enabled. + +::: ##### Service CIDR -IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16). +IPv4/IPv6 network CIDRs to use for service IPs (default: `10.43.0.0/16`). -###### Dual-stack Networking +Example values: -To configure [dual-stack](https://docs.rke2.io/install/network_options#dual-stack-configuration) mode, enter a valid IPv4/IPv6 CIDR. For example `10.42.0.0/16,2001:cafe:42:0::/56`. +- IPv4-only: `10.43.0.0/16` +- IPv6-only: `2001:cafe:43::/112` +- Dual-stack: `10.43.0.0/16,2001:cafe:43::/112` -[Additional configuration](#dual-stack-additional-configuration) is required when using `cilium ` or `multus,cilium` as your [container network](#container-network-provider) interface provider. +For additional requirements and limitations related to dual-stack or IPv6-only networking, see the following resources: + +- [RKE2 documentation: Dual-stack configuration](https://docs.rke2.io/networking/basic_network_options#dual-stack-configuration) +- [RKE2 documentation: IPv6-only setup](https://docs.rke2.io/networking/basic_network_options#ipv6-setup) + +:::caution + +You must configure the Service CIDR when you first create the cluster. You cannot enable the Service CIDR on an existing cluster after it starts. + +::: + +:::caution + +When using `cilium` or `multus,cilium` as your container network interface provider, ensure the **Enable IPv6 Support** option is also enabled. + +::: ##### Cluster DNS -IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10). +IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: `10.43.0.10`). ##### Cluster Domain @@ -213,11 +248,11 @@ Option to change the range of ports that can be used for [NodePort services](htt ##### Truncate Hostnames -Option to truncate hostnames to 15 characters or less. You can only set this field during the initial creation of the cluster. You can't enable or disable the 15 character limit after cluster creation. +Option to truncate hostnames to 15 characters or fewer. You can only set this field during the initial creation of the cluster. You can't enable or disable the 15-character limit after cluster creation. This setting only affects machine-provisioned clusters. Since custom clusters set hostnames during their own node creation process, which occurs outside of Rancher, this field doesn't restrict custom cluster hostname length. -Truncating hostnames in a cluster improves compatibility with Windows-based systems. Although Kubernetes allows hostnames up to 63 characters in length, systems that use NetBIOS restrict hostnames to 15 characters or less. +Truncating hostnames in a cluster improves compatibility with Windows-based systems. Although Kubernetes allows hostnames up to 63 characters in length, systems that use NetBIOS restrict hostnames to 15 characters or fewer. ##### TLS Alternate Names @@ -233,6 +268,33 @@ For more detail on how an authorized cluster endpoint works and why it is used, We recommend using a load balancer with the authorized cluster endpoint. For details, refer to the [recommended architecture section.](../../rancher-manager-architecture/architecture-recommendations.md#architecture-for-an-authorized-cluster-endpoint-ace) +##### Stack Preference + +Choose the networking stack for the cluster. This option affects: + +- The address used for health and readiness probes of components such as Calico, etcd, kube-apiserver, kube-scheduler, kube-controller-manager, and kubelet. +- The server URL in the `authentication-token-webhook-config-file` for the Authorized Cluster Endpoint. +- The `advertise-client-urls` setting for etcd during snapshot restoration. + +Options are `ipv4`, `ipv6`, `dual`: + +- When set to `ipv4`, the cluster uses `127.0.0.1` +- When set to `ipv6`, the cluster uses `[::1]` +- When set to `dual`, the cluster uses `localhost` + +The stack preference must match the cluster’s networking configuration: + +- Set to `ipv4` for IPv4-only clusters +- Set to `ipv6` for IPv6-only clusters +- Set to `dual` for dual-stack clusters + +:::caution + +Ensuring the loopback address configuration is correct is critical for successful cluster provisioning. +For more information, refer to the [Node Requirements](../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md) page. + +::: + #### Registries Select the image repository to pull Rancher images from. For more details and configuration options, see the [RKE2 documentation](https://docs.rke2.io/install/private_registry). diff --git a/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md b/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md deleted file mode 100644 index 183cdb4f558..00000000000 --- a/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: Rancher Agent Options ---- - - - - - -Rancher deploys an agent on each node to communicate with the node. This pages describes the options that can be passed to the agent. To use these options, you will need to [create a cluster with custom nodes](use-existing-nodes.md) and add the options to the generated `docker run` command when adding a node. - -For an overview of how Rancher communicates with downstream clusters using node agents, refer to the [architecture section.](../../../rancher-manager-architecture/communicating-with-downstream-user-clusters.md#3-node-agents) - -## General options - -| Parameter | Environment variable | Description | -| ---------- | -------------------- | ----------- | -| `--server` | `CATTLE_SERVER` | The configured Rancher `server-url` setting which the agent connects to | -| `--token` | `CATTLE_TOKEN` | Token that is needed to register the node in Rancher | -| `--ca-checksum` | `CATTLE_CA_CHECKSUM` | The SHA256 checksum of the configured Rancher `cacerts` setting to validate | -| `--node-name` | `CATTLE_NODE_NAME` | Override the hostname that is used to register the node (defaults to `hostname -s`) | -| `--label` | `CATTLE_NODE_LABEL` | Add node labels to the node. For multiple labels, pass additional `--label` options. (`--label key=value`) | -| `--taints` | `CATTLE_NODE_TAINTS` | Add node taints to the node. For multiple taints, pass additional `--taints` options. (`--taints key=value:effect`) | - -## Role options - -| Parameter | Environment variable | Description | -| ---------- | -------------------- | ----------- | -| `--all-roles` | `ALL=true` | Apply all roles (`etcd`,`controlplane`,`worker`) to the node | -| `--etcd` | `ETCD=true` | Apply the role `etcd` to the node | -| `--controlplane` | `CONTROL=true` | Apply the role `controlplane` to the node | -| `--worker` | `WORKER=true` | Apply the role `worker` to the node | - -## IP address options - -| Parameter | Environment variable | Description | -| ---------- | -------------------- | ----------- | -| `--address` | `CATTLE_ADDRESS` | The IP address the node will be registered with (defaults to the IP used to reach `8.8.8.8`) | -| `--internal-address` | `CATTLE_INTERNAL_ADDRESS` | The IP address used for inter-host communication on a private network | - -### Dynamic IP address options - -For automation purposes, you can't have a specific IP address in a command as it has to be generic to be used for every node. For this, we have dynamic IP address options. They are used as a value to the existing IP address options. This is supported for `--address` and `--internal-address`. - -| Value | Example | Description | -| ---------- | -------------------- | ----------- | -| Interface name | `--address eth0` | The first configured IP address will be retrieved from the given interface | -| `ipify` | `--address ipify` | Value retrieved from `https://api.ipify.org` will be used | -| `awslocal` | `--address awslocal` | Value retrieved from `http://169.254.169.254/latest/meta-data/local-ipv4` will be used | -| `awspublic` | `--address awspublic` | Value retrieved from `http://169.254.169.254/latest/meta-data/public-ipv4` will be used | -| `doprivate` | `--address doprivate` | Value retrieved from `http://169.254.169.254/metadata/v1/interfaces/private/0/ipv4/address` will be used | -| `dopublic` | `--address dopublic` | Value retrieved from `http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/address` will be used | -| `azprivate` | `--address azprivate` | Value retrieved from `http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/privateIpAddress?api-version=2017-08-01&format=text` will be used | -| `azpublic` | `--address azpublic` | Value retrieved from `http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-08-01&format=text` will be used | -| `gceinternal` | `--address gceinternal` | Value retrieved from `http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip` will be used | -| `gceexternal` | `--address gceexternal` | Value retrieved from `http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip` will be used | -| `packetlocal` | `--address packetlocal` | Value retrieved from `https://metadata.packet.net/2009-04-04/meta-data/local-ipv4` will be used | -| `packetpublic` | `--address packetlocal` | Value retrieved from `https://metadata.packet.net/2009-04-04/meta-data/public-ipv4` will be used | diff --git a/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/use-existing-nodes.md b/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/use-existing-nodes.md index 8e09f4a4b88..a27ac9ac48c 100644 --- a/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/use-existing-nodes.md +++ b/versioned_docs/version-2.13/reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/use-existing-nodes.md @@ -9,7 +9,7 @@ description: To create a cluster with custom nodes, you’ll need to access serv When you create a custom cluster, Rancher can use RKE2/K3s to create a Kubernetes cluster in on-prem bare-metal servers, on-prem virtual machines, or in any node hosted by an infrastructure provider. -To use this option you'll need access to servers you intend to use in your Kubernetes cluster. Provision each server according to the [requirements](../../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md), which includes some hardware specifications and Docker. After you install Docker on each server, you willl also run the command provided in the Rancher UI on each server to turn each one into a Kubernetes node. +To use this option, you need access to the servers that will be part of your Kubernetes cluster. Provision each server according to the [requirements](../../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md). Then, run the command provided in the Rancher UI on each server to convert it into a Kubernetes node. This section describes how to set up a custom cluster. @@ -33,7 +33,15 @@ If you want to reuse a node from a previous custom cluster, [clean the node](../ Provision the host according to the [installation requirements](../../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md) and the [checklist for production-ready clusters.](../../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/checklist-for-production-ready-clusters/checklist-for-production-ready-clusters.md) -If you're using Amazon EC2 as your host and want to use the [dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) feature, there are additional [requirements](https://rancher.com/docs/rke//latest/en/config-options/dual-stack#requirements) when provisioning the host. +:::note IPv6-only cluster + +For an IPv6-only cluster, ensure that your operating system correctly configures the `/etc/hosts` file. + +``` +::1 localhost +``` + +::: ### 2. Create the Custom Cluster @@ -41,39 +49,43 @@ If you're using Amazon EC2 as your host and want to use the [dual-stack](https:/ 1. On the **Clusters** page, click **Create**. 1. Click **Custom**. 1. Enter a **Cluster Name**. -1. Use **Cluster Configuration** section to choose the version of Kubernetes, what network provider will be used and if you want to enable project network isolation. To see more cluster options, click on **Show advanced options**. +1. Use the **Cluster Configuration** section to set up the cluster. For more information, see [RKE2 Cluster Configuration Reference](../rke2-cluster-configuration.md) and [K3s Cluster Configuration Reference](../k3s-cluster-configuration.md). - :::note Using Windows nodes as Kubernetes workers? + :::note Windows nodes - - See [Enable the Windows Support Option](../../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/use-windows-clusters/use-windows-clusters.md). - - The only Network Provider available for clusters with Windows support is Flannel. + To learn more about using Windows nodes as Kubernetes workers, see [Launching Kubernetes on Windows Clusters](../../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/use-windows-clusters/use-windows-clusters.md). - ::: + ::: - :::note Dual-stack on Amazon EC2: +1. Click **Create**. - If you're using Amazon EC2 as your host and want to use the [dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) feature, there are additional [requirements](https://rancher.com/docs/rke//latest/en/config-options/dual-stack#requirements) when configuring RKE. +**Result:** The UI redirects to the **Registration** page, where you can generate the registration command for your nodes. - ::: +1. From **Node Role**, select the roles you want a cluster node to fill. You must provision at least one node for each role: etcd, worker, and control plane. A custom cluster requires all three roles to finish provisioning. For more information on roles, see [Roles for Nodes in Kubernetes Clusters](../../../kubernetes-concepts.md#roles-for-nodes-in-kubernetes-clusters). -6. Click **Next**. + :::note Bare-Metal Server -4. Use **Member Roles** to configure user authorization for the cluster. Click **Add Member** to add users that can access the cluster. Use the **Role** drop-down to set permissions for each user. + If you plan to dedicate bare-metal servers to each role, you must provision a bare-metal server for each role (i.e., provision multiple bare-metal servers). -7. From **Node Role**, choose the roles that you want filled by a cluster node. You must provision at least one node for each role: `etcd`, `worker`, and `control plane`. All three roles are required for a custom cluster to finish provisioning. For more information on roles, see [this section.](../../../kubernetes-concepts.md#roles-for-nodes-in-kubernetes-clusters) + :::note -:::note +1. **Optional**: Click **Show Advanced** to configure additional settings such as specifying the IP address(es), overriding the node hostname, or adding [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) or [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) to the node -- Using Windows nodes as Kubernetes workers? See [this section](../../../../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/use-windows-clusters/use-windows-clusters.md). -- Bare-Metal Server Reminder: If you plan on dedicating bare-metal servers to each role, you must provision a bare-metal server for each role (i.e. provision multiple bare-metal servers). + :::note -::: + The **Node Public IP** and **Node Private IP** fields can accept either a single address or a comma-separated list of addresses (for example: `10.0.0.5,2001:db8::1`). -8. **Optional**: Click **[Show advanced options](rancher-agent-options.md)** to specify IP address(es) to use when registering the node, override the hostname of the node, or to add [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) or [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) to the node. + ::: -9. Copy the command displayed on screen to your clipboard. + :::note Ipv6-only or Dual-stack Cluster -10. Log in to your Linux host using your preferred shell, such as PuTTy or a remote Terminal connection. Run the command copied to your clipboard. + In both IPv6-only and dual-stack clusters, you should specify the node’s **IPv6 address** as the **Node Private IP**. + + ::: + +1. Copy the command displayed on screen to your clipboard. + +1. Log in to your Linux host using your preferred shell, such as PuTTy or a remote Terminal connection. Run the command copied to your clipboard. :::note @@ -81,11 +93,9 @@ Repeat steps 7-10 if you want to dedicate specific hosts to specific node roles. ::: -11. When you finish running the command(s) on your Linux host(s), click **Done**. - **Result:** -Your cluster is created and assigned a state of **Provisioning**. Rancher is standing up your cluster. +The cluster is created and transitions to the **Updating** state while Rancher initializes and provisions cluster components. You can access your cluster after its state is updated to **Active**. diff --git a/versioned_docs/version-2.13/reference-guides/dual-stack.md b/versioned_docs/version-2.13/reference-guides/dual-stack.md new file mode 100644 index 00000000000..26914f529af --- /dev/null +++ b/versioned_docs/version-2.13/reference-guides/dual-stack.md @@ -0,0 +1,122 @@ +--- +title: IPv4/IPv6 Dual-stack +--- + + + + + +Kubernetes supports IPv4-only, IPv6-only, and dual-stack networking configurations. +For more details, refer to the official [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). + +## Installing Rancher on IPv6-Only or Dual-Stack Clusters + +Rancher can run on clusters using: + +- IPv4-only +- IPv6-only +- Dual-stack (IPv4 + IPv6) + +When you install Rancher on an **IPv6-only cluster**, it can communicate externally **only over IPv6**. This means it can provision: + +- IPv6-only clusters +- Dual-stack clusters + _(IPv4-only downstream clusters are not possible in this case)_ + +When you install Rancher on a **dual-stack cluster**, it can communicate over both IPv4 and IPv6, and can therefore provision: + +- IPv4-only clusters +- IPv6-only clusters +- Dual-stack clusters + +For installation steps, see the guide: **[Installing and Upgrading Rancher](../getting-started/installation-and-upgrade/installation-and-upgrade.md)**. + +### Requirement for the Rancher Server URL + +When provisioning IPv6-only downstream clusters, the **Rancher Server URL must be reachable over IPv6** because downstream nodes connect back to the Rancher server using IPv6. + +## Provisioning IPv6-Only or Dual-Stack Clusters + +You can provision RKE2 and K3s **Node driver** (machine pools) or **Custom cluster** (existing hosts) clusters using IPv4-only, IPv6-only, or dual-stack networking. + +### Network Configuration + +To enable IPv6-only or dual-stack networking, you must configure: + +- Cluster CIDR +- Service CIDR +- Stack Preference + +Configuration references: + +- [K3s Cluster Configuration Reference](cluster-configuration/rancher-server-configuration/k3s-cluster-configuration.md) +- [RKE2 Cluster Configuration Reference](cluster-configuration/rancher-server-configuration/rke2-cluster-configuration.md) + +### Support for Windows + +Kubernetes on Windows: + +| Feature | Support Status | +|---------------------|-------------------------------| +| IPv6-only clusters | Not supported | +| Dual-stack clusters | Supported | +| Services | Limited to a single IP family | + +For more information, see the [Kubernetes Documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#windows-support). + +K3s does **not** support Windows ([FAQ](https://docs.k3s.io/faq#does-k3s-support-windows)) + +RKE2 supports Windows, but requires using either `Calico` or `Flannel` as the CNI. +Note that Windows installations of RKE2 do not support dual-stack clusters using BGP. +For more details, see [RKE2 Network Options](https://docs.rke2.io/networking/basic_network_options). + + +### Provisioning Node Driver Clusters + +Rancher currently supports assigning IPv6 addresses in **node driver** clusters with: + +- [Amazon EC2](../how-to-guides/new-user-guides/launch-kubernetes-with-rancher/use-new-nodes-in-an-infra-provider/create-an-amazon-ec2-cluster.md) +- [DigitalOcean](../how-to-guides/new-user-guides/launch-kubernetes-with-rancher/use-new-nodes-in-an-infra-provider/create-a-digitalocean-cluster.md) + +Support for additional providers will be introduced in future releases. + +:::note DigitalOcean Limitation + +Creating an **IPv6-only cluster** using the DigitalOcean node driver is currently **not supported**. +For more details, please see [rancher/rancher#52523](https://github.com/rancher/rancher/issues/52523#issuecomment-3457803572). + +::: + +#### Infrastructure Requirements + +Cluster nodes must meet the requirements listed in the [Node Requirements for Rancher Managed Clusters](../how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/node-requirements-for-rancher-managed-clusters.md). + +Machine pool configuration guides: + +- [Amazon EC2 Configuration](cluster-configuration/downstream-cluster-configuration/machine-configuration/amazon-ec2.md) +- [DigitalOcean Configuration](cluster-configuration/downstream-cluster-configuration/machine-configuration/digitalocean.md) + +### Provisioning Custom Clusters + +To provision on your own nodes, follow the instructions in [Provision Kubernetes on Existing Nodes](cluster-configuration/rancher-server-configuration/use-existing-nodes/use-existing-nodes.md). + +:::note + +- **Node Public IP** and **Node Private IP** fields accept IPv4, IPv6, or both (comma-separated). + > Example: `10.0.0.5,2001:db8::1` +- In **IPv6-only** and **dual-stack** clusters, specify the node’s **IPv6 address** as the **Private IP**. + +::: + +#### Infrastructure Requirements + +Infrastructure requirements are the same as above for node-driver clusters. + +## Other Limitations + +### GitHub.com + +GitHub.com does **not** support IPv6. As a result: + +- Any application repositories ( `ClusterRepo.catalog.cattle.io/v1` CR) hosted on GitHub.com will **not be reachable** from IPv6-only clusters. +- Similarly, any **non-builtin node drivers** hosted on GitHub.com will also **not be accessible** in IPv6-only environments. diff --git a/versioned_docs/version-2.13/reference-guides/rancher-webhook.md b/versioned_docs/version-2.13/reference-guides/rancher-webhook.md index b0707f39aa7..c318999bae0 100644 --- a/versioned_docs/version-2.13/reference-guides/rancher-webhook.md +++ b/versioned_docs/version-2.13/reference-guides/rancher-webhook.md @@ -20,10 +20,7 @@ Each Rancher version is designed to be compatible with a single version of the w | Rancher Version | Webhook Version | Availability in Prime | Availability in Community | |-----------------|-----------------|-----------------------|---------------------------| -| v2.12.3 | v0.8.3 | ✓ | ✓ | -| v2.12.2 | v0.8.2 | ✓ | ✓ | -| v2.12.1 | v0.8.1 | ✓ | ✓ | -| v2.12.0 | v0.8.0 | ✗ | ✓ | +| v2.13.0 | v0.9.0 | ✗ | ✓ | ## Why Do We Need It? diff --git a/versioned_sidebars/version-2.13-sidebars.json b/versioned_sidebars/version-2.13-sidebars.json index fec0adce00c..55d1d43b237 100644 --- a/versioned_sidebars/version-2.13-sidebars.json +++ b/versioned_sidebars/version-2.13-sidebars.json @@ -209,6 +209,7 @@ "how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-freeipa", "how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-azure-ad", "how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-github", + "how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-github-app", "how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc", "how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-saml", "how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-pingidentity", @@ -738,7 +739,7 @@ "how-to-guides/advanced-user-guides/enable-experimental-features/unsupported-storage-drivers", "how-to-guides/advanced-user-guides/enable-experimental-features/istio-traffic-management-features", "how-to-guides/advanced-user-guides/enable-experimental-features/continuous-delivery", - "how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation" + "how-to-guides/advanced-user-guides/enable-experimental-features/role-template-aggregation" ] }, "how-to-guides/advanced-user-guides/open-ports-with-firewalld", @@ -849,9 +850,7 @@ "type": "doc", "id": "reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/use-existing-nodes" }, - "items": [ - "reference-guides/cluster-configuration/rancher-server-configuration/use-existing-nodes/rancher-agent-options" - ] + "items": [] }, "reference-guides/cluster-configuration/rancher-server-configuration/sync-clusters" ] @@ -979,6 +978,7 @@ "reference-guides/rancher-cluster-tools", "reference-guides/rancher-project-tools", "reference-guides/system-tools", + "reference-guides/dual-stack", "reference-guides/rke1-template-example-yaml", "reference-guides/rancher-webhook", { @@ -1249,7 +1249,8 @@ "items": [ "api/workflows/projects", "api/workflows/kubeconfigs", - "api/workflows/tokens" + "api/workflows/tokens", + "api/workflows/users" ] }, "api/api-reference",