diff --git a/content/k3s/latest/en/networking/_index.md b/content/k3s/latest/en/networking/_index.md index 95cc646e57a..abe38d1bc9e 100644 --- a/content/k3s/latest/en/networking/_index.md +++ b/content/k3s/latest/en/networking/_index.md @@ -30,7 +30,7 @@ If you don't install CoreDNS, you will need to install a cluster DNS provider yo Traefik is deployed by default when starting the server. For more information see [Auto Deploying Manifests]({{}}/k3s/latest/en/advanced/#auto-deploying-manifests). The default config file is found in `/var/lib/rancher/k3s/server/manifests/traefik.yaml` and any changes made to this file will automatically be deployed to Kubernetes in a manner similar to `kubectl apply`. -The Traefik ingress controller will use ports 80, 443, and 8080 on the host (i.e. these will not be usable for HostPort or NodePort). +The Traefik ingress controller will use ports 80 and 443 on the host (i.e. these will not be usable for HostPort or NodePort). Traefik can be configured by editing the `traefik.yaml` file. To prevent k3s from using or overwriting the modified version, deploy k3s with `--no-deploy traefik` and store the modified copy in the `k3s/server/manifests` directory. For more information, refer to the official [Traefik for Helm Configuration Parameters.](https://github.com/helm/charts/tree/master/stable/traefik#configuration) diff --git a/content/rancher/v2.5/_index.md b/content/rancher/v2.5/_index.md index 811c7a9f584..fe8b9384414 100644 --- a/content/rancher/v2.5/_index.md +++ b/content/rancher/v2.5/_index.md @@ -1,5 +1,5 @@ --- -title: Rancher v2.5 +title: Rancher 2.5.7-2.5.8+ (Latest) weight: 1 showBreadcrumb: false --- diff --git a/content/rancher/v2.5/en/_index.md b/content/rancher/v2.5/en/_index.md index 1f643d850a3..d3faa2ec591 100644 --- a/content/rancher/v2.5/en/_index.md +++ b/content/rancher/v2.5/en/_index.md @@ -1,6 +1,6 @@ --- -title: "Rancher v2.5" -shortTitle: "Rancher v2.5" +title: "Rancher 2.5.7-2.5.8+ (Latest)" +shortTitle: "Rancher 2.5.7-2.5.8+ (Latest)" description: "Rancher adds significant value on top of Kubernetes: managing hundreds of clusters from one interface, centralizing RBAC, enabling monitoring and alerting. Read more." metaTitle: "Rancher 2.x Docs: What is New?" metaDescription: "Rancher 2 adds significant value on top of Kubernetes: managing hundreds of clusters from one interface, centralizing RBAC, enabling monitoring and alerting. Read more." diff --git a/content/rancher/v2.5/en/admin-settings/rbac/default-custom-roles/_index.md b/content/rancher/v2.5/en/admin-settings/rbac/default-custom-roles/_index.md index 01764ad0ace..00fd8351c06 100644 --- a/content/rancher/v2.5/en/admin-settings/rbac/default-custom-roles/_index.md +++ b/content/rancher/v2.5/en/admin-settings/rbac/default-custom-roles/_index.md @@ -9,6 +9,8 @@ Within Rancher, _roles_ determine what actions a user can make within a cluster Note that _roles_ are different from _permissions_, which determine what clusters and projects you can access. +> It is possible for a custom role to enable privilege escalation. For details, see [this section.](#privilege-escalation) + This section covers the following topics: - [Prerequisites](#prerequisites) @@ -16,15 +18,16 @@ This section covers the following topics: - [Creating a custom global role](#creating-a-custom-global-role) - [Deleting a custom global role](#deleting-a-custom-global-role) - [Assigning a custom global role to a group](#assigning-a-custom-global-role-to-a-group) +- [Privilege escalation](#privilege-escalation) -## Prerequisites +# Prerequisites To complete the tasks on this page, one of the following permissions are required: - [Administrator Global Permissions]({{}}/rancher/v2.5/en/admin-settings/rbac/global-permissions/). - [Custom Global Permissions]({{}}/rancher/v2.5/en/admin-settings/rbac/global-permissions/#custom-global-permissions) with the [Manage Roles]({{}}/rancher/v2.5/en/admin-settings/rbac/global-permissions/) role assigned. -## Creating A Custom Role for a Cluster or Project +# Creating A Custom Role for a Cluster or Project While Rancher comes out-of-the-box with a set of default user roles, you can also create default custom roles to provide users with very specific permissions within Rancher. @@ -57,7 +60,7 @@ The steps to add custom roles differ depending on the version of Rancher. 1. Click **Create**. -## Creating a Custom Global Role +# Creating a Custom Global Role ### Creating a Custom Global Role that Copies Rules from an Existing Role @@ -91,7 +94,7 @@ Custom global roles don't have to be based on existing roles. To create a custom 1. Click **Save.** -## Deleting a Custom Global Role +# Deleting a Custom Global Role When deleting a custom global role, all global role bindings with this custom role are deleted. @@ -105,7 +108,7 @@ To delete a custom global role, 2. On the **Global** tab, go to the custom global role that should be deleted and click **⋮ (…) > Delete.** 3. Click **Delete.** -## Assigning a Custom Global Role to a Group +# Assigning a Custom Global Role to a Group If you have a group of individuals that need the same level of access in Rancher, it can save time to create a custom global role. When the role is assigned to a group, the users in the group have the appropriate level of access the first time they sign into Rancher. @@ -129,3 +132,7 @@ To assign a custom global role to a group, follow these steps: 1. Click **Create.** **Result:** The custom global role will take effect when the users in the group log into Rancher. + +# Privilege Escalation + +The `Configure Catalogs` custom permission is powerful and should be used with caution. When an admin assigns the `Configure Catalogs` permission to a standard user, it could result in privilege escalation in which the user could give themselves admin access to Rancher provisioned clusters. Anyone with this permission should be considered equivalent to an admin. \ No newline at end of file diff --git a/content/rancher/v2.5/en/faq/_index.md b/content/rancher/v2.5/en/faq/_index.md index 0aab8d42359..7cd76f88e5d 100644 --- a/content/rancher/v2.5/en/faq/_index.md +++ b/content/rancher/v2.5/en/faq/_index.md @@ -5,7 +5,7 @@ aliases: - /rancher/v2.5/en/about/ --- -This FAQ is a work in progress designed to answers the questions our users most frequently ask about Rancher v2.x. +This FAQ is a work in progress designed to answer the questions our users most frequently ask about Rancher v2.x. See [Technical FAQ]({{}}/rancher/v2.5/en/faq/technical/), for frequently asked technical questions. @@ -69,4 +69,4 @@ Our goal is to run any upstream Kubernetes clusters. Therefore, Rancher v2.x sho **Are you going to integrate Longhorn?** -Yes. Longhorn was integrated into Rancher v2.5+. \ No newline at end of file +Yes. Longhorn was integrated into Rancher v2.5+. diff --git a/content/rancher/v2.5/en/installation/requirements/_index.md b/content/rancher/v2.5/en/installation/requirements/_index.md index b91223043ca..9e2a6be96bf 100644 --- a/content/rancher/v2.5/en/installation/requirements/_index.md +++ b/content/rancher/v2.5/en/installation/requirements/_index.md @@ -11,18 +11,26 @@ This page describes the software, hardware, and networking requirements for the Make sure the node(s) for the Rancher server fulfill the following requirements: - [Operating Systems and Container Runtime Requirements](#operating-systems-and-container-runtime-requirements) + - [RKE Specific Requirements](#rke-specific-requirements) + - [K3s Specific Requirements](#k3s-specific-requirements) + - [RancherD Specific Requirements](#rancherd-specific-requirements) + - [RKE2 Specific Requirements](#rke2-specific-requirements) + - [Installing Docker](#installing-docker) - [Hardware Requirements](#hardware-requirements) - [CPU and Memory](#cpu-and-memory) - - [RKE and Hosted Kubernetes](#rke-and-hosted-kubernetes) - - [K3s Kubernetes](#k3s-kubernetes) - - [RancherD](#rancherd) - - [RKE2](#rke2-kubernetes) - - [CPU and Memory for Rancher before v2.4.0](#cpu-and-memory-for-rancher-before-v2-4-0) + - [RKE and Hosted Kubernetes](#rke-and-hosted-kubernetes) + - [K3s Kubernetes](#k3s-kubernetes) + - [RancherD](#rancherd) + - [RKE2 Kubernetes](#rke2-kubernetes) + - [Docker](#docker) - [Ingress](#ingress) + - [Ingress for RKE2](#ingress-for-rke2) + - [Ingress for EKS](#ingress-for-eks) - [Disks](#disks) - [Networking Requirements](#networking-requirements) - - [Node IP Addresses](#node-ip-addresses) - - [Port Requirements](#port-requirements) + - [Node IP Addresses](#node-ip-addresses) + - [Port Requirements](#port-requirements) +- [RancherD on SELinux Enforcing CentOS 8 or RHEL 8 Nodes](#rancherd-on-selinux-enforcing-centos-8-or-rhel-8-nodes) For a list of best practices that we recommend for running the Rancher server in production, refer to the [best practices section.]({{}}/rancher/v2.5/en/best-practices/deployment-types/) @@ -42,7 +50,9 @@ All supported operating systems are 64-bit x86. The `ntp` (Network Time Protocol) package should be installed. This prevents errors with certificate validation that can occur when the time is not synchronized between the client and server. -Some distributions of Linux may have default firewall rules that block communication with Helm. We recommend disabling firewalld. For Kubernetes 1.19, firewalld must be turned off. +Some distributions of Linux may have default firewall rules that block communication with Helm. We recommend disabling firewalld. For Kubernetes 1.19 and 1.20, firewalld must be turned off. + +> If you don't feel comfortable doing so you might check suggestions in the [respective issue](https://github.com/rancher/rancher/issues/28840). Some users were successful [creating a separate firewalld zone with a policy of ACCEPT for the Pod CIDR](https://github.com/rancher/rancher/issues/28840#issuecomment-787404822). If you plan to run Rancher on ARM64, see [Running on ARM64 (Experimental).]({{}}/rancher/v2.5/en/installation/options/arm64-platform/) @@ -62,9 +72,9 @@ If you are installing Rancher on a K3s cluster with Alpine Linux, follow [these ### RancherD Specific Requirements -_The RancherD install is available as of v2.5.4. It is an experimental feature._ +_The RancherD install is available as of v2.5.4. It is an experimental feature._ -At this time, only Linux OSes that leverage systemd are supported. +At this time, only Linux OSes that leverage systemd are supported. To install RancherD on SELinux Enforcing CentOS 8 or RHEL 8 nodes, some [additional steps](#rancherd-on-selinux-enforcing-centos-8-or-rhel-8-nodes) are required. @@ -99,8 +109,6 @@ These CPU and memory requirements apply to each host in the Kubernetes cluster w These requirements apply to RKE Kubernetes clusters, as well as to hosted Kubernetes clusters such as EKS. - - | Deployment Size | Clusters | Nodes | vCPUs | RAM | | --------------- | ---------- | ------------ | -------| ------- | | Small | Up to 150 | Up to 1500 | 2 | 8 GB | @@ -109,7 +117,7 @@ These requirements apply to RKE Kubernetes clusters, as well as to hosted Kubern | X-Large | Up to 1000 | Up to 10,000 | 16 | 64 GB | | XX-Large | Up to 2000 | Up to 20,000 | 32 | 128 GB | -[Contact Rancher](https://rancher.com/contact/) for more than 2000 clusters and/or 20,000 nodes. +[Contact Rancher](https://rancher.com/contact/) for more than 2000 clusters and/or 20,000 nodes. ### K3s Kubernetes @@ -123,7 +131,7 @@ These CPU and memory requirements apply to each host in a [K3s Kubernetes cluste | X-Large | Up to 1000 | Up to 10,000 | 16 | 64 GB | 2 cores, 4 GB + 1000 IOPS | | XX-Large | Up to 2000 | Up to 20,000 | 32 | 128 GB | 2 cores, 4 GB + 1000 IOPS | -[Contact Rancher](https://rancher.com/contact/) for more than 2000 clusters and/or 20,000 nodes. +[Contact Rancher](https://rancher.com/contact/) for more than 2000 clusters and/or 20,000 nodes. ### RancherD @@ -189,7 +197,7 @@ To operate properly, Rancher requires a number of ports to be open on Rancher no # RancherD on SELinux Enforcing CentOS 8 or RHEL 8 Nodes -Before installing Rancher on SELinux Enforcing CentOS 8 nodes or RHEL 8 nodes, you must install `container-selinux` and `iptables`: +Before installing Rancher on SELinux Enforcing CentOS 8 nodes or RHEL 8 nodes, you must install `container-selinux` and `iptables`: ``` sudo yum install iptables diff --git a/content/rancher/v2.5/en/installation/requirements/ports/_index.md b/content/rancher/v2.5/en/installation/requirements/ports/_index.md index ad874040492..eec93a29b24 100644 --- a/content/rancher/v2.5/en/installation/requirements/ports/_index.md +++ b/content/rancher/v2.5/en/installation/requirements/ports/_index.md @@ -89,7 +89,7 @@ The following tables break down the port requirements for traffic between the Ra | TCP | 6443 | Kubernetes apiserver | | UDP | 8472 | Canal/Flannel VXLAN overlay networking | | TCP | 9099 | Canal/Flannel livenessProbe/readinessProbe | -| TCP | 10250 | kubelet | +| TCP | 10250 | Metrics server communication with all nodes | | TCP | 10254 | Ingress controller livenessProbe/readinessProbe | The following tables break down the port requirements for inbound and outbound traffic: diff --git a/content/rancher/v2.5/en/installation/requirements/ports/common-ports-table/index.md b/content/rancher/v2.5/en/installation/requirements/ports/common-ports-table/index.md index 86bb7177bbe..4819129eb27 100644 --- a/content/rancher/v2.5/en/installation/requirements/ports/common-ports-table/index.md +++ b/content/rancher/v2.5/en/installation/requirements/ports/common-ports-table/index.md @@ -17,6 +17,6 @@ headless: true | TCP | 9796 | Default port required by Monitoring to scrape metrics from Windows node-exporters | | TCP | 6783 | Weave Port | | UDP | 6783-6784 | Weave UDP Ports | -| TCP | 10250 | kubelet API | +| TCP | 10250 | Metrics server communication with all nodes API | | TCP | 10254 | Ingress controller livenessProbe/readinessProbe | | TCP/UDP | 30000-
32767 | NodePort port range | diff --git a/content/rancher/v2.5/en/installation/resources/k8s-tutorials/ha-rke2/_index.md b/content/rancher/v2.5/en/installation/resources/k8s-tutorials/ha-rke2/_index.md index 55ed67ad198..715d31f2063 100644 --- a/content/rancher/v2.5/en/installation/resources/k8s-tutorials/ha-rke2/_index.md +++ b/content/rancher/v2.5/en/installation/resources/k8s-tutorials/ha-rke2/_index.md @@ -22,7 +22,7 @@ Rancher needs to be installed on a supported Kubernetes version. To find out whi RKE2 server runs with embedded etcd so you will not need to set up an external datastore to run in HA mode. -1. On the first node, you should set up the configuration file with your own pre-shared secret as the token. The token argument can be set on startup. +On the first node, you should set up the configuration file with your own pre-shared secret as the token. The token argument can be set on startup. If you do not specify a pre-shared secret, RKE2 will generate one and place it at /var/lib/rancher/rke2/server/node-token. @@ -37,8 +37,9 @@ tls-san: - another-kubernetes-domain.com ``` After that you need to run the install command and enable and start rke2: + ``` -curl -sfL https://get.rke2.io | sh - +curl -sfL https://get.rke2.io | INSTALL_RKE2_CHANNEL=v1.20 sh - systemctl enable rke2-server.service systemctl start rke2-server.service ``` diff --git a/content/rancher/v2.5/en/istio/resources/_index.md b/content/rancher/v2.5/en/istio/resources/_index.md index d4fbc4f3777..274fcd34b34 100644 --- a/content/rancher/v2.5/en/istio/resources/_index.md +++ b/content/rancher/v2.5/en/istio/resources/_index.md @@ -59,7 +59,7 @@ You can find more information about Istio configuration in the [official Istio d To configure the resources allocated to an Istio component, 1. In the Rancher **Cluster Explorer**, navigate to your Istio installation in **Apps & Marketplace** -1. Click **Upgrade** to edit the base components via changes the values.yaml or add an [overlay file]({{}}/rancher/v2.5/en/istio/v2.5/configuration-reference/#overlay-file). For more information about editing the overlay file, see [this section.](./#editing-the-overlay-file) +1. Click **Upgrade** to edit the base components via changes to the values.yaml or add an [overlay file]({{}}/rancher/v2.5/en/istio/v2.5/configuration-reference/#overlay-file). For more information about editing the overlay file, see [this section.](./#editing-the-overlay-file) 1. Change the CPU or memory allocations, the nodes where each component will be scheduled to, or the node tolerations. 1. Click **Upgrade.** to rollout changes @@ -78,4 +78,4 @@ In the example overlay file provided with the Istio application, the following s # resources: # requests: # cpu: 200m -``` \ No newline at end of file +``` diff --git a/content/rancher/v2.5/en/security/rancher-2.5/1.5-hardening-2.5/_index.md b/content/rancher/v2.5/en/security/rancher-2.5/1.5-hardening-2.5/_index.md index 939089cadae..13e8edb74a1 100644 --- a/content/rancher/v2.5/en/security/rancher-2.5/1.5-hardening-2.5/_index.md +++ b/content/rancher/v2.5/en/security/rancher-2.5/1.5-hardening-2.5/_index.md @@ -13,7 +13,7 @@ This hardening guide is intended to be used for RKE clusters and associated with ----------------|-----------------------|------------------ Rancher v2.5 | Benchmark v1.5 | Kubernetes 1.15 -[Click here to download a PDF version of this document](https://releases.rancher.com/documents/security/2.5/Rancher_Hardening_Guide_CIS_1.6.pdf) +[Click here to download a PDF version of this document](https://releases.rancher.com/documents/security/2.5/Rancher_Hardening_Guide_CIS_1.5.pdf) ### Overview diff --git a/content/rancher/v2.5/en/troubleshooting/networking/_index.md b/content/rancher/v2.5/en/troubleshooting/networking/_index.md index ac1f7a48ce1..9979ef2e205 100644 --- a/content/rancher/v2.5/en/troubleshooting/networking/_index.md +++ b/content/rancher/v2.5/en/troubleshooting/networking/_index.md @@ -35,7 +35,7 @@ To test the overlay network, you can launch the following `DaemonSet` definition tolerations: - operator: Exists containers: - - image: rancher/swiss-army-knife + - image: rancherlabs/swiss-army-knife imagePullPolicy: Always name: overlaytest command: ["sh", "-c", "tail -f /dev/null"] diff --git a/content/rancher/v2.x/en/installation/requirements/installing-docker/_index.md b/content/rancher/v2.x/en/installation/requirements/installing-docker/_index.md index 4414cb08794..02a005d245f 100644 --- a/content/rancher/v2.x/en/installation/requirements/installing-docker/_index.md +++ b/content/rancher/v2.x/en/installation/requirements/installing-docker/_index.md @@ -9,10 +9,10 @@ There are a couple of options for installing Docker. One option is to refer to t Another option is to use one of Rancher's Docker installation scripts, which are available for most recent versions of Docker. -For example, this command could be used to install Docker 19.03 on Ubuntu: +For example, this command could be used to install Docker 20.10 on Ubuntu: ``` -curl https://releases.rancher.com/install-docker/19.03.sh | sh +curl https://releases.rancher.com/install-docker/20.10.sh | sh ``` Rancher has installation scripts for every version of upstream Docker that Kubernetes supports. To find out whether a script is available for installing a certain Docker version, refer to this [GitHub repository,](https://github.com/rancher/install-docker) which contains all of Rancher's Docker installation scripts. diff --git a/content/rancher/v2.x/en/security/_index.md b/content/rancher/v2.x/en/security/_index.md index c27c4c504ac..e0105e9821c 100644 --- a/content/rancher/v2.x/en/security/_index.md +++ b/content/rancher/v2.x/en/security/_index.md @@ -60,6 +60,7 @@ Each version of the hardening guide is intended to be used with specific version Hardening Guide Version | Rancher Version | CIS Benchmark Version | Kubernetes Version ------------------------|----------------|-----------------------|------------------ +[Hardening Guide v2.5]({{}}/rancher/v2.x/en/security/rancher-2.5/1.6-hardening-2.5/) | Rancher v2.5 | Benchmark v1.6 | Kubernetes v1.18 [Hardening Guide v2.4]({{}}/rancher/v2.x/en/security/hardening-2.4/) | Rancher v2.4 | Benchmark v1.5 | Kubernetes v1.15 [Hardening Guide v2.3.5]({{}}/rancher/v2.x/en/security/hardening-2.3.5/) | Rancher v2.3.5 | Benchmark v1.5 | Kubernetes v1.15 [Hardening Guide v2.3.3]({{}}/rancher/v2.x/en/security/hardening-2.3.3/) | Rancher v2.3.3 | Benchmark v1.4.1 | Kubernetes v1.14, v1.15, and v1.16 @@ -77,6 +78,7 @@ Each version of Rancher's self-assessment guide corresponds to specific versions Self Assessment Guide Version | Rancher Version | Hardening Guide Version | Kubernetes Version | CIS Benchmark Version ---------------------------|----------|---------|-------|----- +[Self Assessment Guide v2.5]({{}}/rancher/v2.x/en/security/rancher-2.5/1.6-benchmark-2.5/) | Rancher v2.5 | Hardening Guide v2.5 | Kubernetes v1.18 | Benchmark v1.6 [Self Assessment Guide v2.4]({{}}/rancher/v2.x/en/security/benchmark-2.4/#cis-kubernetes-benchmark-1-5-0-rancher-2-4-with-kubernetes-1-15) | Rancher v2.4 | Hardening Guide v2.4 | Kubernetes v1.15 | Benchmark v1.5 [Self Assessment Guide v2.3.5]({{}}/rancher/v2.x/en/security/benchmark-2.3.5/#cis-kubernetes-benchmark-1-5-0-rancher-2-3-5-with-kubernetes-1-15) | Rancher v2.3.5 | Hardening Guide v2.3.5 | Kubernetes v1.15 | Benchmark v1.5 [Self Assessment Guide v2.3.3]({{}}/rancher/v2.x/en/security/benchmark-2.3.3/#cis-kubernetes-benchmark-1-4-1-rancher-2-3-3-with-kubernetes-1-16) | Rancher v2.3.3 | Hardening Guide v2.3.3 | Kubernetes v1.16 | Benchmark v1.4.1 diff --git a/content/rke/latest/en/config-options/add-ons/ingress-controllers/_index.md b/content/rke/latest/en/config-options/add-ons/ingress-controllers/_index.md index 827046e6f61..fae1012abc9 100644 --- a/content/rke/latest/en/config-options/add-ons/ingress-controllers/_index.md +++ b/content/rke/latest/en/config-options/add-ons/ingress-controllers/_index.md @@ -19,7 +19,9 @@ By default, RKE deploys the NGINX ingress controller on all schedulable nodes. > **Note:** As of v0.1.8, only workers are considered schedulable nodes, but before v0.1.8, worker and controlplane nodes were considered schedulable nodes. -RKE will deploy the ingress controller as a DaemonSet with `hostnetwork: true`, so ports `80`, and `443` will be opened on each node where the controller is deployed. +RKE will deploy the ingress controller as a DaemonSet with `hostNetwork: true`, so ports `80`, and `443` will be opened on each node where the controller is deployed. + +> **Note:** As of v1.1.11, the network options of the ingress controller are configurable. See [Configuring network options](#configuring-network-options). The images used for ingress controller is under the [`system_images` directive]({{}}/rke/latest/en/config-options/system-images/). For each Kubernetes version, there are default images associated with the ingress controller, but these can be overridden by changing the image tag in `system_images`. @@ -111,6 +113,36 @@ ingress: > **What happens if the field is omitted?** The value of `default_backend` will default to `true`. This maintains behavior with older versions of `rke`. However, a future version of `rke` will change the default value to `false`. +### Configuring network options + +_Available as of v1.1.11_ + +By default, the nginx ingress controller is configured using `hostNetwork: true` on the default ports `80` and `443`. If you want to change the mode and/or the ports, see the options below. + +Configure the nginx ingress controller using `hostPort` and override the default ports: + +```yaml +ingress: + provider: nginx + network_mode: hostPort + http_port: 9090 + https_port: 9443 + extra_args: + http-port: 8080 + https-port: 8443 +``` + +Configure the nginx ingress controller with no network mode which will make it run on the overlay network (for example, if you want to expose the nginx ingress controller using a `LoadBalancer`) and override the default ports: + +```yaml +ingress: + provider: nginx + network_mode: none + extra_args: + http-port: 8080 + https-port: 8443 +``` + ### Configuring an NGINX Default Certificate When configuring an ingress object with TLS termination, you must provide it with a certificate used for encryption/decryption. Instead of explicitly defining a certificate each time you configure an ingress, you can set up a custom certificate that's used by default. diff --git a/content/rke/latest/en/config-options/secrets-encryption/_index.md b/content/rke/latest/en/config-options/secrets-encryption/_index.md index c4dc378a249..5801592df0a 100644 --- a/content/rke/latest/en/config-options/secrets-encryption/_index.md +++ b/content/rke/latest/en/config-options/secrets-encryption/_index.md @@ -122,6 +122,37 @@ With custom encryption configuration, RKE allows the user to provide their own c >**Warning:** Using invalid Encryption Provider Configuration could cause several issues with your cluster, ranging from crashing the Kubernetes API service, `kube-api`, to completely losing access to encrypted data. +### Example: Using Custom Encryption Configuration with User Provided 32-byte Random Key + +The following describes the steps required to configure custom encryption with a user provided 32-byte random key. + +Step 1: Generate a 32 byte random key and base64 encode it. If you're on Linux or macOS, run the following command: + +``` +head -c 32 /dev/urandom | base64 +``` + +Place that value in the secret field. + +```yaml +kube-api: + secrets_encryption_config: + enabled: true + custom_config: + api_version: apiserver.config.k8s.io/v1 + kind: EncryptionConfiguration + resources: + - Providers: + - AESCBC: + Keys: + - Name: key1 + Secret: + Resources: + - secrets + - identity: {} +``` + + ### Example: Using Custom Encryption Configuration with Amazon KMS An example for custom configuration would be enabling an external key management system like [Amazon KMS](https://aws.amazon.com/kms/). The following is an example of the configuration for AWS KMS: diff --git a/layouts/shortcodes/requirements_ports_rke.html b/layouts/shortcodes/requirements_ports_rke.html index 1d5dfdbbb93..1957b009106 100644 --- a/layouts/shortcodes/requirements_ports_rke.html +++ b/layouts/shortcodes/requirements_ports_rke.html @@ -41,7 +41,7 @@ TCP 10250 -
  • controlplane nodes
+
  • Metrics server communications with all nodes
kubelet @@ -138,7 +138,7 @@ TCP 10250 -
  • controlplane nodes
+
  • Metrics server communications with all nodes
kubelet @@ -269,7 +269,7 @@ TCP 10250 -
  • controlplane nodes
+
  • Metrics server communications with all nodes
kubelet