public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-19 11:25:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Resolve merge conflicts

Browse Source
This commit is contained in:
Catherine Luse
2021-06-30 09:40:03 -07:00
parent 7886f8a680 8959dffc48
commit 24ffd93eae
17 changed files with 121 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/k3s/latest/en/networking/_index.md
+1 -1
View File
@@ -30,7 +30,7 @@ If you don't install CoreDNS, you will need to install a cluster DNS provider yo
Traefik is deployed by default when starting the server. For more information see [Auto Deploying Manifests]({{<baseurl>}}/k3s/latest/en/advanced/#auto-deploying-manifests). The default config file is found in `/var/lib/rancher/k3s/server/manifests/traefik.yaml` and any changes made to this file will automatically be deployed to Kubernetes in a manner similar to `kubectl apply`.
The Traefik ingress controller will use ports 80, 443, and 8080 on the host (i.e. these will not be usable for HostPort or NodePort).
The Traefik ingress controller will use ports 80 and 443 on the host (i.e. these will not be usable for HostPort or NodePort).
Traefik can be configured by editing the `traefik.yaml` file. To prevent k3s from using or overwriting the modified version, deploy k3s with `--no-deploy traefik` and store the modified copy in the `k3s/server/manifests` directory. For more information, refer to the official [Traefik for Helm Configuration Parameters.](https://github.com/helm/charts/tree/master/stable/traefik#configuration)
content/rancher/v2.5/_index.md
+1 -1
View File
@@ -1,5 +1,5 @@
---
title: Rancher v2.5
title: Rancher 2.5.7-2.5.8+ (Latest)
weight: 1
showBreadcrumb: false
---
content/rancher/v2.5/en/_index.md
+2 -2
View File
@@ -1,6 +1,6 @@
---
title: "Rancher v2.5"
shortTitle: "Rancher v2.5"
title: "Rancher 2.5.7-2.5.8+ (Latest)"
shortTitle: "Rancher 2.5.7-2.5.8+ (Latest)"
description: "Rancher adds significant value on top of Kubernetes: managing hundreds of clusters from one interface, centralizing RBAC, enabling monitoring and alerting. Read more."
metaTitle: "Rancher 2.x Docs: What is New?"
metaDescription: "Rancher 2 adds significant value on top of Kubernetes: managing hundreds of clusters from one interface, centralizing RBAC, enabling monitoring and alerting. Read more."
content/rancher/v2.5/en/admin-settings/rbac/default-custom-roles/_index.md
+12 -5
View File
@@ -9,6 +9,8 @@ Within Rancher, _roles_ determine what actions a user can make within a cluster
Note that _roles_ are different from _permissions_, which determine what clusters and projects you can access.
> It is possible for a custom role to enable privilege escalation. For details, see [this section.](#privilege-escalation)
This section covers the following topics:
- [Prerequisites](#prerequisites)
@@ -16,15 +18,16 @@ This section covers the following topics:
- [Creating a custom global role](#creating-a-custom-global-role)
- [Deleting a custom global role](#deleting-a-custom-global-role)
- [Assigning a custom global role to a group](#assigning-a-custom-global-role-to-a-group)
- [Privilege escalation](#privilege-escalation)
## Prerequisites
# Prerequisites
To complete the tasks on this page, one of the following permissions are required:
- [Administrator Global Permissions]({{<baseurl>}}/rancher/v2.5/en/admin-settings/rbac/global-permissions/).
- [Custom Global Permissions]({{<baseurl>}}/rancher/v2.5/en/admin-settings/rbac/global-permissions/#custom-global-permissions) with the [Manage Roles]({{<baseurl>}}/rancher/v2.5/en/admin-settings/rbac/global-permissions/) role assigned.
## Creating A Custom Role for a Cluster or Project
# Creating A Custom Role for a Cluster or Project
While Rancher comes out-of-the-box with a set of default user roles, you can also create default custom roles to provide users with very specific permissions within Rancher.
@@ -57,7 +60,7 @@ The steps to add custom roles differ depending on the version of Rancher.
1. Click **Create**.
## Creating a Custom Global Role
# Creating a Custom Global Role
### Creating a Custom Global Role that Copies Rules from an Existing Role
@@ -91,7 +94,7 @@ Custom global roles don't have to be based on existing roles. To create a custom
1. Click **Save.**
## Deleting a Custom Global Role
# Deleting a Custom Global Role
When deleting a custom global role, all global role bindings with this custom role are deleted.
@@ -105,7 +108,7 @@ To delete a custom global role,
2. On the **Global** tab, go to the custom global role that should be deleted and click **&#8942; (…) > Delete.**
3. Click **Delete.**
## Assigning a Custom Global Role to a Group
# Assigning a Custom Global Role to a Group
If you have a group of individuals that need the same level of access in Rancher, it can save time to create a custom global role. When the role is assigned to a group, the users in the group have the appropriate level of access the first time they sign into Rancher.
@@ -129,3 +132,7 @@ To assign a custom global role to a group, follow these steps:
1. Click **Create.**
**Result:** The custom global role will take effect when the users in the group log into Rancher.
# Privilege Escalation
The `Configure Catalogs` custom permission is powerful and should be used with caution. When an admin assigns the `Configure Catalogs` permission to a standard user, it could result in privilege escalation in which the user could give themselves admin access to Rancher provisioned clusters. Anyone with this permission should be considered equivalent to an admin.
content/rancher/v2.5/en/faq/_index.md
+2 -2
View File
@@ -5,7 +5,7 @@ aliases:
- /rancher/v2.5/en/about/
---
This FAQ is a work in progress designed to answers the questions our users most frequently ask about Rancher v2.x.
This FAQ is a work in progress designed to answer the questions our users most frequently ask about Rancher v2.x.
See [Technical FAQ]({{<baseurl>}}/rancher/v2.5/en/faq/technical/), for frequently asked technical questions.
@@ -69,4 +69,4 @@ Our goal is to run any upstream Kubernetes clusters. Therefore, Rancher v2.x sho
**Are you going to integrate Longhorn?**
Yes. Longhorn was integrated into Rancher v2.5+.
Yes. Longhorn was integrated into Rancher v2.5+.
content/rancher/v2.5/en/installation/requirements/_index.md
+23 -15
View File
@@ -11,18 +11,26 @@ This page describes the software, hardware, and networking requirements for the
Make sure the node(s) for the Rancher server fulfill the following requirements:
- [Operating Systems and Container Runtime Requirements](#operating-systems-and-container-runtime-requirements)
- [RKE Specific Requirements](#rke-specific-requirements)
- [K3s Specific Requirements](#k3s-specific-requirements)
- [RancherD Specific Requirements](#rancherd-specific-requirements)
- [RKE2 Specific Requirements](#rke2-specific-requirements)
- [Installing Docker](#installing-docker)
- [Hardware Requirements](#hardware-requirements)
- [CPU and Memory](#cpu-and-memory)
- [RKE and Hosted Kubernetes](#rke-and-hosted-kubernetes)
- [K3s Kubernetes](#k3s-kubernetes)
- [RancherD](#rancherd)
- [RKE2](#rke2-kubernetes)
- [CPU and Memory for Rancher before v2.4.0](#cpu-and-memory-for-rancher-before-v2-4-0)
- [RKE and Hosted Kubernetes](#rke-and-hosted-kubernetes)
- [K3s Kubernetes](#k3s-kubernetes)
- [RancherD](#rancherd)
- [RKE2 Kubernetes](#rke2-kubernetes)
- [Docker](#docker)
- [Ingress](#ingress)
- [Ingress for RKE2](#ingress-for-rke2)
- [Ingress for EKS](#ingress-for-eks)
- [Disks](#disks)
- [Networking Requirements](#networking-requirements)
- [Node IP Addresses](#node-ip-addresses)
- [Port Requirements](#port-requirements)
- [Node IP Addresses](#node-ip-addresses)
- [Port Requirements](#port-requirements)
- [RancherD on SELinux Enforcing CentOS 8 or RHEL 8 Nodes](#rancherd-on-selinux-enforcing-centos-8-or-rhel-8-nodes)
For a list of best practices that we recommend for running the Rancher server in production, refer to the [best practices section.]({{<baseurl>}}/rancher/v2.5/en/best-practices/deployment-types/)
@@ -42,7 +50,9 @@ All supported operating systems are 64-bit x86.
The `ntp` (Network Time Protocol) package should be installed. This prevents errors with certificate validation that can occur when the time is not synchronized between the client and server.
Some distributions of Linux may have default firewall rules that block communication with Helm. We recommend disabling firewalld. For Kubernetes 1.19, firewalld must be turned off.
Some distributions of Linux may have default firewall rules that block communication with Helm. We recommend disabling firewalld. For Kubernetes 1.19 and 1.20, firewalld must be turned off.
> If you don't feel comfortable doing so you might check suggestions in the [respective issue](https://github.com/rancher/rancher/issues/28840). Some users were successful [creating a separate firewalld zone with a policy of ACCEPT for the Pod CIDR](https://github.com/rancher/rancher/issues/28840#issuecomment-787404822).
If you plan to run Rancher on ARM64, see [Running on ARM64 (Experimental).]({{<baseurl>}}/rancher/v2.5/en/installation/options/arm64-platform/)
@@ -62,9 +72,9 @@ If you are installing Rancher on a K3s cluster with Alpine Linux, follow [these
### RancherD Specific Requirements
_The RancherD install is available as of v2.5.4. It is an experimental feature._
_The RancherD install is available as of v2.5.4. It is an experimental feature._
At this time, only Linux OSes that leverage systemd are supported.
At this time, only Linux OSes that leverage systemd are supported.
To install RancherD on SELinux Enforcing CentOS 8 or RHEL 8 nodes, some [additional steps](#rancherd-on-selinux-enforcing-centos-8-or-rhel-8-nodes) are required.
@@ -99,8 +109,6 @@ These CPU and memory requirements apply to each host in the Kubernetes cluster w
These requirements apply to RKE Kubernetes clusters, as well as to hosted Kubernetes clusters such as EKS.
| Deployment Size | Clusters | Nodes | vCPUs | RAM |
| --------------- | ---------- | ------------ | -------| ------- |
| Small | Up to 150 | Up to 1500 | 2 | 8 GB |
@@ -109,7 +117,7 @@ These requirements apply to RKE Kubernetes clusters, as well as to hosted Kubern
| X-Large | Up to 1000 | Up to 10,000 | 16 | 64 GB |
| XX-Large | Up to 2000 | Up to 20,000 | 32 | 128 GB |
[Contact Rancher](https://rancher.com/contact/) for more than 2000 clusters and/or 20,000 nodes.
[Contact Rancher](https://rancher.com/contact/) for more than 2000 clusters and/or 20,000 nodes.
### K3s Kubernetes
@@ -123,7 +131,7 @@ These CPU and memory requirements apply to each host in a [K3s Kubernetes cluste
| X-Large | Up to 1000 | Up to 10,000 | 16 | 64 GB | 2 cores, 4 GB + 1000 IOPS |
| XX-Large | Up to 2000 | Up to 20,000 | 32 | 128 GB | 2 cores, 4 GB + 1000 IOPS |
[Contact Rancher](https://rancher.com/contact/) for more than 2000 clusters and/or 20,000 nodes.
[Contact Rancher](https://rancher.com/contact/) for more than 2000 clusters and/or 20,000 nodes.
### RancherD
@@ -189,7 +197,7 @@ To operate properly, Rancher requires a number of ports to be open on Rancher no
# RancherD on SELinux Enforcing CentOS 8 or RHEL 8 Nodes
Before installing Rancher on SELinux Enforcing CentOS 8 nodes or RHEL 8 nodes, you must install `container-selinux` and `iptables`:
Before installing Rancher on SELinux Enforcing CentOS 8 nodes or RHEL 8 nodes, you must install `container-selinux` and `iptables`:
```
sudo yum install iptables
content/rancher/v2.5/en/installation/requirements/ports/_index.md
+1 -1
View File
@@ -89,7 +89,7 @@ The following tables break down the port requirements for traffic between the Ra
| TCP | 6443 | Kubernetes apiserver |
| UDP | 8472 | Canal/Flannel VXLAN overlay networking |
| TCP | 9099 | Canal/Flannel livenessProbe/readinessProbe |
| TCP | 10250 | kubelet |
| TCP | 10250 | Metrics server communication with all nodes |
| TCP | 10254 | Ingress controller livenessProbe/readinessProbe |
The following tables break down the port requirements for inbound and outbound traffic:
content/rancher/v2.5/en/installation/requirements/ports/common-ports-table/index.md
+1 -1
View File
@@ -17,6 +17,6 @@ headless: true
| TCP | 9796 | Default port required by Monitoring to scrape metrics from Windows node-exporters |
| TCP | 6783 | Weave Port |
| UDP | 6783-6784 | Weave UDP Ports |
| TCP | 10250 | kubelet API |
| TCP | 10250 | Metrics server communication with all nodes API |
| TCP | 10254 | Ingress controller livenessProbe/readinessProbe |
| TCP/UDP | 30000-</br>32767 | NodePort port range |
content/rancher/v2.5/en/installation/resources/k8s-tutorials/ha-rke2/_index.md
+3 -2
View File
@@ -22,7 +22,7 @@ Rancher needs to be installed on a supported Kubernetes version. To find out whi
RKE2 server runs with embedded etcd so you will not need to set up an external datastore to run in HA mode.
1. On the first node, you should set up the configuration file with your own pre-shared secret as the token. The token argument can be set on startup.
On the first node, you should set up the configuration file with your own pre-shared secret as the token. The token argument can be set on startup.
If you do not specify a pre-shared secret, RKE2 will generate one and place it at /var/lib/rancher/rke2/server/node-token.
@@ -37,8 +37,9 @@ tls-san:
- another-kubernetes-domain.com
```
After that you need to run the install command and enable and start rke2:
```
curl -sfL https://get.rke2.io | sh -
curl -sfL https://get.rke2.io | INSTALL_RKE2_CHANNEL=v1.20 sh -
systemctl enable rke2-server.service
systemctl start rke2-server.service
```
content/rancher/v2.5/en/istio/resources/_index.md
+2 -2
View File
@@ -59,7 +59,7 @@ You can find more information about Istio configuration in the [official Istio d
To configure the resources allocated to an Istio component,
1. In the Rancher **Cluster Explorer**, navigate to your Istio installation in **Apps & Marketplace**
1. Click **Upgrade** to edit the base components via changes the values.yaml or add an [overlay file]({{<baseurl>}}/rancher/v2.5/en/istio/v2.5/configuration-reference/#overlay-file). For more information about editing the overlay file, see [this section.](./#editing-the-overlay-file)
1. Click **Upgrade** to edit the base components via changes to the values.yaml or add an [overlay file]({{<baseurl>}}/rancher/v2.5/en/istio/v2.5/configuration-reference/#overlay-file). For more information about editing the overlay file, see [this section.](./#editing-the-overlay-file)
1. Change the CPU or memory allocations, the nodes where each component will be scheduled to, or the node tolerations.
1. Click **Upgrade.** to rollout changes
@@ -78,4 +78,4 @@ In the example overlay file provided with the Istio application, the following s
# resources:
# requests:
# cpu: 200m
```
```
content/rancher/v2.5/en/security/rancher-2.5/1.5-hardening-2.5/_index.md
+1 -1
View File
@@ -13,7 +13,7 @@ This hardening guide is intended to be used for RKE clusters and associated with
----------------|-----------------------|------------------
Rancher v2.5 | Benchmark v1.5 | Kubernetes 1.15
[Click here to download a PDF version of this document](https://releases.rancher.com/documents/security/2.5/Rancher_Hardening_Guide_CIS_1.6.pdf)
[Click here to download a PDF version of this document](https://releases.rancher.com/documents/security/2.5/Rancher_Hardening_Guide_CIS_1.5.pdf)
### Overview
content/rancher/v2.5/en/troubleshooting/networking/_index.md
+1 -1
View File
@@ -35,7 +35,7 @@ To test the overlay network, you can launch the following `DaemonSet` definition
tolerations:
- operator: Exists
containers:
- image: rancher/swiss-army-knife
- image: rancherlabs/swiss-army-knife
imagePullPolicy: Always
name: overlaytest
command: ["sh", "-c", "tail -f /dev/null"]
content/rancher/v2.x/en/installation/requirements/installing-docker/_index.md
+2 -2
View File
@@ -9,10 +9,10 @@ There are a couple of options for installing Docker. One option is to refer to t
Another option is to use one of Rancher's Docker installation scripts, which are available for most recent versions of Docker.
For example, this command could be used to install Docker 19.03 on Ubuntu:
For example, this command could be used to install Docker 20.10 on Ubuntu:
```
curl https://releases.rancher.com/install-docker/19.03.sh | sh
curl https://releases.rancher.com/install-docker/20.10.sh | sh
```
Rancher has installation scripts for every version of upstream Docker that Kubernetes supports. To find out whether a script is available for installing a certain Docker version, refer to this [GitHub repository,](https://github.com/rancher/install-docker) which contains all of Rancher's Docker installation scripts.
content/rancher/v2.x/en/security/_index.md
+2
View File
@@ -60,6 +60,7 @@ Each version of the hardening guide is intended to be used with specific version
Hardening Guide Version | Rancher Version | CIS Benchmark Version | Kubernetes Version
------------------------|----------------|-----------------------|------------------
[Hardening Guide v2.5]({{<baseurl>}}/rancher/v2.x/en/security/rancher-2.5/1.6-hardening-2.5/) | Rancher v2.5 | Benchmark v1.6 | Kubernetes v1.18
[Hardening Guide v2.4]({{<baseurl>}}/rancher/v2.x/en/security/hardening-2.4/) | Rancher v2.4 | Benchmark v1.5 | Kubernetes v1.15
[Hardening Guide v2.3.5]({{<baseurl>}}/rancher/v2.x/en/security/hardening-2.3.5/) | Rancher v2.3.5 | Benchmark v1.5 | Kubernetes v1.15
[Hardening Guide v2.3.3]({{<baseurl>}}/rancher/v2.x/en/security/hardening-2.3.3/) | Rancher v2.3.3 | Benchmark v1.4.1 | Kubernetes v1.14, v1.15, and v1.16
@@ -77,6 +78,7 @@ Each version of Rancher's self-assessment guide corresponds to specific versions
Self Assessment Guide Version | Rancher Version | Hardening Guide Version | Kubernetes Version | CIS Benchmark Version
---------------------------|----------|---------|-------|-----
[Self Assessment Guide v2.5]({{<baseurl>}}/rancher/v2.x/en/security/rancher-2.5/1.6-benchmark-2.5/) | Rancher v2.5 | Hardening Guide v2.5 | Kubernetes v1.18 | Benchmark v1.6
[Self Assessment Guide v2.4]({{<baseurl>}}/rancher/v2.x/en/security/benchmark-2.4/#cis-kubernetes-benchmark-1-5-0-rancher-2-4-with-kubernetes-1-15) | Rancher v2.4 | Hardening Guide v2.4 | Kubernetes v1.15 | Benchmark v1.5
[Self Assessment Guide v2.3.5]({{<baseurl>}}/rancher/v2.x/en/security/benchmark-2.3.5/#cis-kubernetes-benchmark-1-5-0-rancher-2-3-5-with-kubernetes-1-15) | Rancher v2.3.5 | Hardening Guide v2.3.5 | Kubernetes v1.15 | Benchmark v1.5
[Self Assessment Guide v2.3.3]({{<baseurl>}}/rancher/v2.x/en/security/benchmark-2.3.3/#cis-kubernetes-benchmark-1-4-1-rancher-2-3-3-with-kubernetes-1-16) | Rancher v2.3.3 | Hardening Guide v2.3.3 | Kubernetes v1.16 | Benchmark v1.4.1
content/rke/latest/en/config-options/add-ons/ingress-controllers/_index.md
+33 -1
View File
@@ -19,7 +19,9 @@ By default, RKE deploys the NGINX ingress controller on all schedulable nodes.
> **Note:** As of v0.1.8, only workers are considered schedulable nodes, but before v0.1.8, worker and controlplane nodes were considered schedulable nodes.
RKE will deploy the ingress controller as a DaemonSet with `hostnetwork: true`, so ports `80`, and `443` will be opened on each node where the controller is deployed.
RKE will deploy the ingress controller as a DaemonSet with `hostNetwork: true`, so ports `80`, and `443` will be opened on each node where the controller is deployed.
> **Note:** As of v1.1.11, the network options of the ingress controller are configurable. See [Configuring network options](#configuring-network-options).
The images used for ingress controller is under the [`system_images` directive]({{<baseurl>}}/rke/latest/en/config-options/system-images/). For each Kubernetes version, there are default images associated with the ingress controller, but these can be overridden by changing the image tag in `system_images`.
@@ -111,6 +113,36 @@ ingress:
> **What happens if the field is omitted?** The value of `default_backend` will default to `true`. This maintains behavior with older versions of `rke`. However, a future version of `rke` will change the default value to `false`.
### Configuring network options
_Available as of v1.1.11_
By default, the nginx ingress controller is configured using `hostNetwork: true` on the default ports `80` and `443`. If you want to change the mode and/or the ports, see the options below.
Configure the nginx ingress controller using `hostPort` and override the default ports:
```yaml
ingress:
provider: nginx
network_mode: hostPort
http_port: 9090
https_port: 9443
extra_args:
http-port: 8080
https-port: 8443
```
Configure the nginx ingress controller with no network mode which will make it run on the overlay network (for example, if you want to expose the nginx ingress controller using a `LoadBalancer`) and override the default ports:
```yaml
ingress:
provider: nginx
network_mode: none
extra_args:
http-port: 8080
https-port: 8443
```
### Configuring an NGINX Default Certificate
When configuring an ingress object with TLS termination, you must provide it with a certificate used for encryption/decryption. Instead of explicitly defining a certificate each time you configure an ingress, you can set up a custom certificate that's used by default.
content/rke/latest/en/config-options/secrets-encryption/_index.md
+31
View File
@@ -122,6 +122,37 @@ With custom encryption configuration, RKE allows the user to provide their own c
>**Warning:** Using invalid Encryption Provider Configuration could cause several issues with your cluster, ranging from crashing the Kubernetes API service, `kube-api`, to completely losing access to encrypted data.
### Example: Using Custom Encryption Configuration with User Provided 32-byte Random Key
The following describes the steps required to configure custom encryption with a user provided 32-byte random key.
Step 1: Generate a 32 byte random key and base64 encode it. If you're on Linux or macOS, run the following command:
```
head -c 32 /dev/urandom | base64
```
Place that value in the secret field.
```yaml
kube-api:
secrets_encryption_config:
enabled: true
custom_config:
api_version: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- Providers:
- AESCBC:
Keys:
- Name: key1
Secret: <BASE 64 ENCODED SECRET>
Resources:
- secrets
- identity: {}
```
### Example: Using Custom Encryption Configuration with Amazon KMS
An example for custom configuration would be enabling an external key management system like [Amazon KMS](https://aws.amazon.com/kms/). The following is an example of the configuration for AWS KMS:
layouts/shortcodes/requirements_ports_rke.html
+3 -3
View File
@@ -41,7 +41,7 @@
<tr>
<td>TCP</td>
<td>10250</td>
<td><ul><li>controlplane nodes</li></ul></td>
<td><ul><li>Metrics server communications with all nodes</li></ul></td>
<td>kubelet</td>
</tr>
</table>
@@ -138,7 +138,7 @@
<tr>
<td>TCP</td>
<td>10250</td>
<td><ul><li>controlplane nodes</li></ul></td>
<td><ul><li>Metrics server communications with all nodes</li></ul></td>
<td>kubelet</td>
</tr>
<tr>
@@ -269,7 +269,7 @@
<tr>
<td>TCP</td>
<td>10250</td>
<td><ul><li>controlplane nodes</li></ul></td>
<td><ul><li>Metrics server communications with all nodes</li></ul></td>
<td>kubelet</td>
</tr>
<tr>