From 8ae495ed9075bc21666f36227c1136ff25957711 Mon Sep 17 00:00:00 2001 From: Ross Kirkpatrick Date: Fri, 26 Mar 2021 10:33:45 -0400 Subject: [PATCH 01/20] add instructions for custom encryption with user generated key --- .../secrets-encryption/_index.md | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/content/rke/latest/en/config-options/secrets-encryption/_index.md b/content/rke/latest/en/config-options/secrets-encryption/_index.md index c4dc378a249..5801592df0a 100644 --- a/content/rke/latest/en/config-options/secrets-encryption/_index.md +++ b/content/rke/latest/en/config-options/secrets-encryption/_index.md @@ -122,6 +122,37 @@ With custom encryption configuration, RKE allows the user to provide their own c >**Warning:** Using invalid Encryption Provider Configuration could cause several issues with your cluster, ranging from crashing the Kubernetes API service, `kube-api`, to completely losing access to encrypted data. +### Example: Using Custom Encryption Configuration with User Provided 32-byte Random Key + +The following describes the steps required to configure custom encryption with a user provided 32-byte random key. + +Step 1: Generate a 32 byte random key and base64 encode it. If you're on Linux or macOS, run the following command: + +``` +head -c 32 /dev/urandom | base64 +``` + +Place that value in the secret field. + +```yaml +kube-api: + secrets_encryption_config: + enabled: true + custom_config: + api_version: apiserver.config.k8s.io/v1 + kind: EncryptionConfiguration + resources: + - Providers: + - AESCBC: + Keys: + - Name: key1 + Secret: + Resources: + - secrets + - identity: {} +``` + + ### Example: Using Custom Encryption Configuration with Amazon KMS An example for custom configuration would be enabling an external key management system like [Amazon KMS](https://aws.amazon.com/kms/). The following is an example of the configuration for AWS KMS: From 11d53df7fbf0e6f437c98c06931a0901201f329b Mon Sep 17 00:00:00 2001 From: Sebastiaan van Steenis Date: Thu, 27 May 2021 18:54:35 +0200 Subject: [PATCH 02/20] Describe ingress controller network options --- .../add-ons/ingress-controllers/_index.md | 34 ++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/content/rke/latest/en/config-options/add-ons/ingress-controllers/_index.md b/content/rke/latest/en/config-options/add-ons/ingress-controllers/_index.md index 827046e6f61..fae1012abc9 100644 --- a/content/rke/latest/en/config-options/add-ons/ingress-controllers/_index.md +++ b/content/rke/latest/en/config-options/add-ons/ingress-controllers/_index.md @@ -19,7 +19,9 @@ By default, RKE deploys the NGINX ingress controller on all schedulable nodes. > **Note:** As of v0.1.8, only workers are considered schedulable nodes, but before v0.1.8, worker and controlplane nodes were considered schedulable nodes. -RKE will deploy the ingress controller as a DaemonSet with `hostnetwork: true`, so ports `80`, and `443` will be opened on each node where the controller is deployed. +RKE will deploy the ingress controller as a DaemonSet with `hostNetwork: true`, so ports `80`, and `443` will be opened on each node where the controller is deployed. + +> **Note:** As of v1.1.11, the network options of the ingress controller are configurable. See [Configuring network options](#configuring-network-options). The images used for ingress controller is under the [`system_images` directive]({{}}/rke/latest/en/config-options/system-images/). For each Kubernetes version, there are default images associated with the ingress controller, but these can be overridden by changing the image tag in `system_images`. @@ -111,6 +113,36 @@ ingress: > **What happens if the field is omitted?** The value of `default_backend` will default to `true`. This maintains behavior with older versions of `rke`. However, a future version of `rke` will change the default value to `false`. +### Configuring network options + +_Available as of v1.1.11_ + +By default, the nginx ingress controller is configured using `hostNetwork: true` on the default ports `80` and `443`. If you want to change the mode and/or the ports, see the options below. + +Configure the nginx ingress controller using `hostPort` and override the default ports: + +```yaml +ingress: + provider: nginx + network_mode: hostPort + http_port: 9090 + https_port: 9443 + extra_args: + http-port: 8080 + https-port: 8443 +``` + +Configure the nginx ingress controller with no network mode which will make it run on the overlay network (for example, if you want to expose the nginx ingress controller using a `LoadBalancer`) and override the default ports: + +```yaml +ingress: + provider: nginx + network_mode: none + extra_args: + http-port: 8080 + https-port: 8443 +``` + ### Configuring an NGINX Default Certificate When configuring an ingress object with TLS termination, you must provide it with a certificate used for encryption/decryption. Instead of explicitly defining a certificate each time you configure an ingress, you can set up a custom certificate that's used by default. From a0afe4b4e5914a75ef0f900c30161436c6f1eee0 Mon Sep 17 00:00:00 2001 From: Tejeev Date: Thu, 17 Jun 2021 16:03:48 +0100 Subject: [PATCH 03/20] corrected the image address --- content/rancher/v2.5/en/troubleshooting/networking/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.5/en/troubleshooting/networking/_index.md b/content/rancher/v2.5/en/troubleshooting/networking/_index.md index ac1f7a48ce1..9979ef2e205 100644 --- a/content/rancher/v2.5/en/troubleshooting/networking/_index.md +++ b/content/rancher/v2.5/en/troubleshooting/networking/_index.md @@ -35,7 +35,7 @@ To test the overlay network, you can launch the following `DaemonSet` definition tolerations: - operator: Exists containers: - - image: rancher/swiss-army-knife + - image: rancherlabs/swiss-army-knife imagePullPolicy: Always name: overlaytest command: ["sh", "-c", "tail -f /dev/null"] From 2b11a0046ab8cfae05d36920dd426da06fbffdd5 Mon Sep 17 00:00:00 2001 From: Manuel Buil Date: Thu, 17 Jun 2021 18:15:12 +0200 Subject: [PATCH 04/20] Fix docs bug Signed-off-by: Manuel Buil --- content/k3s/latest/en/networking/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/k3s/latest/en/networking/_index.md b/content/k3s/latest/en/networking/_index.md index 95cc646e57a..abe38d1bc9e 100644 --- a/content/k3s/latest/en/networking/_index.md +++ b/content/k3s/latest/en/networking/_index.md @@ -30,7 +30,7 @@ If you don't install CoreDNS, you will need to install a cluster DNS provider yo Traefik is deployed by default when starting the server. For more information see [Auto Deploying Manifests]({{}}/k3s/latest/en/advanced/#auto-deploying-manifests). The default config file is found in `/var/lib/rancher/k3s/server/manifests/traefik.yaml` and any changes made to this file will automatically be deployed to Kubernetes in a manner similar to `kubectl apply`. -The Traefik ingress controller will use ports 80, 443, and 8080 on the host (i.e. these will not be usable for HostPort or NodePort). +The Traefik ingress controller will use ports 80 and 443 on the host (i.e. these will not be usable for HostPort or NodePort). Traefik can be configured by editing the `traefik.yaml` file. To prevent k3s from using or overwriting the modified version, deploy k3s with `--no-deploy traefik` and store the modified copy in the `k3s/server/manifests` directory. For more information, refer to the official [Traefik for Helm Configuration Parameters.](https://github.com/helm/charts/tree/master/stable/traefik#configuration) From 18fbf9d871e6820a93c9d6f93d640480665d699a Mon Sep 17 00:00:00 2001 From: Billy Tat Date: Thu, 17 Jun 2021 22:22:49 +0000 Subject: [PATCH 05/20] Fix typos --- content/rancher/v2.5/en/faq/_index.md | 4 ++-- content/rancher/v2.5/en/istio/resources/_index.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/content/rancher/v2.5/en/faq/_index.md b/content/rancher/v2.5/en/faq/_index.md index 0aab8d42359..7cd76f88e5d 100644 --- a/content/rancher/v2.5/en/faq/_index.md +++ b/content/rancher/v2.5/en/faq/_index.md @@ -5,7 +5,7 @@ aliases: - /rancher/v2.5/en/about/ --- -This FAQ is a work in progress designed to answers the questions our users most frequently ask about Rancher v2.x. +This FAQ is a work in progress designed to answer the questions our users most frequently ask about Rancher v2.x. See [Technical FAQ]({{}}/rancher/v2.5/en/faq/technical/), for frequently asked technical questions. @@ -69,4 +69,4 @@ Our goal is to run any upstream Kubernetes clusters. Therefore, Rancher v2.x sho **Are you going to integrate Longhorn?** -Yes. Longhorn was integrated into Rancher v2.5+. \ No newline at end of file +Yes. Longhorn was integrated into Rancher v2.5+. diff --git a/content/rancher/v2.5/en/istio/resources/_index.md b/content/rancher/v2.5/en/istio/resources/_index.md index d4fbc4f3777..274fcd34b34 100644 --- a/content/rancher/v2.5/en/istio/resources/_index.md +++ b/content/rancher/v2.5/en/istio/resources/_index.md @@ -59,7 +59,7 @@ You can find more information about Istio configuration in the [official Istio d To configure the resources allocated to an Istio component, 1. In the Rancher **Cluster Explorer**, navigate to your Istio installation in **Apps & Marketplace** -1. Click **Upgrade** to edit the base components via changes the values.yaml or add an [overlay file]({{}}/rancher/v2.5/en/istio/v2.5/configuration-reference/#overlay-file). For more information about editing the overlay file, see [this section.](./#editing-the-overlay-file) +1. Click **Upgrade** to edit the base components via changes to the values.yaml or add an [overlay file]({{}}/rancher/v2.5/en/istio/v2.5/configuration-reference/#overlay-file). For more information about editing the overlay file, see [this section.](./#editing-the-overlay-file) 1. Change the CPU or memory allocations, the nodes where each component will be scheduled to, or the node tolerations. 1. Click **Upgrade.** to rollout changes @@ -78,4 +78,4 @@ In the example overlay file provided with the Istio application, the following s # resources: # requests: # cpu: 200m -``` \ No newline at end of file +``` From 2cfc9059d2bb045d1fa017a2d166bd800d5b7dbb Mon Sep 17 00:00:00 2001 From: jgallucci32 Date: Mon, 21 Jun 2021 16:33:33 -0700 Subject: [PATCH 06/20] Update docker installation script to use 20.10 Updates the installation script to use the latest version of Docker supported by Rancher. --- .../en/installation/requirements/installing-docker/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/rancher/v2.x/en/installation/requirements/installing-docker/_index.md b/content/rancher/v2.x/en/installation/requirements/installing-docker/_index.md index 4414cb08794..02a005d245f 100644 --- a/content/rancher/v2.x/en/installation/requirements/installing-docker/_index.md +++ b/content/rancher/v2.x/en/installation/requirements/installing-docker/_index.md @@ -9,10 +9,10 @@ There are a couple of options for installing Docker. One option is to refer to t Another option is to use one of Rancher's Docker installation scripts, which are available for most recent versions of Docker. -For example, this command could be used to install Docker 19.03 on Ubuntu: +For example, this command could be used to install Docker 20.10 on Ubuntu: ``` -curl https://releases.rancher.com/install-docker/19.03.sh | sh +curl https://releases.rancher.com/install-docker/20.10.sh | sh ``` Rancher has installation scripts for every version of upstream Docker that Kubernetes supports. To find out whether a script is available for installing a certain Docker version, refer to this [GitHub repository,](https://github.com/rancher/install-docker) which contains all of Rancher's Docker installation scripts. From 54e5c8e60dfefcdc80bbf5f2b765c285952eec31 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 23 Jun 2021 08:27:35 -0700 Subject: [PATCH 07/20] Say most recent Rancher version is v2.5.8 --- content/rancher/v2.5/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.5/_index.md b/content/rancher/v2.5/_index.md index 512930c7c8d..14b32b6a74a 100644 --- a/content/rancher/v2.5/_index.md +++ b/content/rancher/v2.5/_index.md @@ -1,5 +1,5 @@ --- -title: Rancher v2.5.7+ +title: Rancher v2.5.8+ weight: 1 showBreadcrumb: false --- From eb46ddad8b7eb676e9ef89ea1ff2b4fd22ccc60e Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 23 Jun 2021 09:21:16 -0700 Subject: [PATCH 08/20] Change v2.5 title to say v2.5.8 is latest --- content/rancher/v2.5/_index.md | 2 +- content/rancher/v2.5/en/_index.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/rancher/v2.5/_index.md b/content/rancher/v2.5/_index.md index 14b32b6a74a..63cb3d79010 100644 --- a/content/rancher/v2.5/_index.md +++ b/content/rancher/v2.5/_index.md @@ -1,5 +1,5 @@ --- -title: Rancher v2.5.8+ +title: Rancher v2.5.8+ (Latest) weight: 1 showBreadcrumb: false --- diff --git a/content/rancher/v2.5/en/_index.md b/content/rancher/v2.5/en/_index.md index 6e97f69f89a..cf8994174f9 100644 --- a/content/rancher/v2.5/en/_index.md +++ b/content/rancher/v2.5/en/_index.md @@ -1,5 +1,5 @@ --- -title: "Rancher v2.5.7+ (Latest)" +title: "Rancher v2.5.8+ (Latest)" shortTitle: "Rancher v2.5.7+ (Latest)" description: "Rancher adds significant value on top of Kubernetes: managing hundreds of clusters from one interface, centralizing RBAC, enabling monitoring and alerting. Read more." metaTitle: "Rancher 2.x Docs: What is New?" From 7c4470d874ab83286b97325f3f4cd1db6fb8081c Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 23 Jun 2021 10:55:00 -0700 Subject: [PATCH 09/20] Change latest Rancher version --- content/rancher/v2.5/en/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.5/en/_index.md b/content/rancher/v2.5/en/_index.md index cf8994174f9..f64e5407e71 100644 --- a/content/rancher/v2.5/en/_index.md +++ b/content/rancher/v2.5/en/_index.md @@ -1,6 +1,6 @@ --- title: "Rancher v2.5.8+ (Latest)" -shortTitle: "Rancher v2.5.7+ (Latest)" +shortTitle: "Rancher v2.5.8+ (Latest)" description: "Rancher adds significant value on top of Kubernetes: managing hundreds of clusters from one interface, centralizing RBAC, enabling monitoring and alerting. Read more." metaTitle: "Rancher 2.x Docs: What is New?" metaDescription: "Rancher 2 adds significant value on top of Kubernetes: managing hundreds of clusters from one interface, centralizing RBAC, enabling monitoring and alerting. Read more." From dce183dcc3fc21a2078852fc65a49cdb46f90422 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 24 Jun 2021 07:50:44 -0700 Subject: [PATCH 10/20] Say metrics server requires port 10250 open on all nodes. Closes #3352 --- .../rancher/v2.5/en/installation/requirements/ports/_index.md | 2 +- .../installation/requirements/ports/common-ports-table/index.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/rancher/v2.5/en/installation/requirements/ports/_index.md b/content/rancher/v2.5/en/installation/requirements/ports/_index.md index ad874040492..eec93a29b24 100644 --- a/content/rancher/v2.5/en/installation/requirements/ports/_index.md +++ b/content/rancher/v2.5/en/installation/requirements/ports/_index.md @@ -89,7 +89,7 @@ The following tables break down the port requirements for traffic between the Ra | TCP | 6443 | Kubernetes apiserver | | UDP | 8472 | Canal/Flannel VXLAN overlay networking | | TCP | 9099 | Canal/Flannel livenessProbe/readinessProbe | -| TCP | 10250 | kubelet | +| TCP | 10250 | Metrics server communication with all nodes | | TCP | 10254 | Ingress controller livenessProbe/readinessProbe | The following tables break down the port requirements for inbound and outbound traffic: diff --git a/content/rancher/v2.5/en/installation/requirements/ports/common-ports-table/index.md b/content/rancher/v2.5/en/installation/requirements/ports/common-ports-table/index.md index 86bb7177bbe..4819129eb27 100644 --- a/content/rancher/v2.5/en/installation/requirements/ports/common-ports-table/index.md +++ b/content/rancher/v2.5/en/installation/requirements/ports/common-ports-table/index.md @@ -17,6 +17,6 @@ headless: true | TCP | 9796 | Default port required by Monitoring to scrape metrics from Windows node-exporters | | TCP | 6783 | Weave Port | | UDP | 6783-6784 | Weave UDP Ports | -| TCP | 10250 | kubelet API | +| TCP | 10250 | Metrics server communication with all nodes API | | TCP | 10254 | Ingress controller livenessProbe/readinessProbe | | TCP/UDP | 30000-
32767 | NodePort port range | From 66de22edfc72c7e93321bb6fedbed307f90054fb Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 24 Jun 2021 09:08:34 -0700 Subject: [PATCH 11/20] Avoid headings that don't work with docs theme --- .../admin-settings/rbac/default-custom-roles/_index.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/content/rancher/v2.5/en/admin-settings/rbac/default-custom-roles/_index.md b/content/rancher/v2.5/en/admin-settings/rbac/default-custom-roles/_index.md index 01764ad0ace..46eec0a0dca 100644 --- a/content/rancher/v2.5/en/admin-settings/rbac/default-custom-roles/_index.md +++ b/content/rancher/v2.5/en/admin-settings/rbac/default-custom-roles/_index.md @@ -17,14 +17,14 @@ This section covers the following topics: - [Deleting a custom global role](#deleting-a-custom-global-role) - [Assigning a custom global role to a group](#assigning-a-custom-global-role-to-a-group) -## Prerequisites +# Prerequisites To complete the tasks on this page, one of the following permissions are required: - [Administrator Global Permissions]({{}}/rancher/v2.5/en/admin-settings/rbac/global-permissions/). - [Custom Global Permissions]({{}}/rancher/v2.5/en/admin-settings/rbac/global-permissions/#custom-global-permissions) with the [Manage Roles]({{}}/rancher/v2.5/en/admin-settings/rbac/global-permissions/) role assigned. -## Creating A Custom Role for a Cluster or Project +# Creating A Custom Role for a Cluster or Project While Rancher comes out-of-the-box with a set of default user roles, you can also create default custom roles to provide users with very specific permissions within Rancher. @@ -57,7 +57,7 @@ The steps to add custom roles differ depending on the version of Rancher. 1. Click **Create**. -## Creating a Custom Global Role +# Creating a Custom Global Role ### Creating a Custom Global Role that Copies Rules from an Existing Role @@ -91,7 +91,7 @@ Custom global roles don't have to be based on existing roles. To create a custom 1. Click **Save.** -## Deleting a Custom Global Role +# Deleting a Custom Global Role When deleting a custom global role, all global role bindings with this custom role are deleted. @@ -105,7 +105,7 @@ To delete a custom global role, 2. On the **Global** tab, go to the custom global role that should be deleted and click **⋮ (…) > Delete.** 3. Click **Delete.** -## Assigning a Custom Global Role to a Group +# Assigning a Custom Global Role to a Group If you have a group of individuals that need the same level of access in Rancher, it can save time to create a custom global role. When the role is assigned to a group, the users in the group have the appropriate level of access the first time they sign into Rancher. From 01c818f04453e1055c3caceda09e23c832fd7577 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 24 Jun 2021 09:24:11 -0700 Subject: [PATCH 12/20] Document privilege escalation through configure catalogs permission --- .../admin-settings/rbac/default-custom-roles/_index.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/content/rancher/v2.5/en/admin-settings/rbac/default-custom-roles/_index.md b/content/rancher/v2.5/en/admin-settings/rbac/default-custom-roles/_index.md index 46eec0a0dca..e1051f9ae5e 100644 --- a/content/rancher/v2.5/en/admin-settings/rbac/default-custom-roles/_index.md +++ b/content/rancher/v2.5/en/admin-settings/rbac/default-custom-roles/_index.md @@ -9,6 +9,8 @@ Within Rancher, _roles_ determine what actions a user can make within a cluster Note that _roles_ are different from _permissions_, which determine what clusters and projects you can access. +> It is possible for a custom role to enable privilege escalation. For details, see [this section.](#privilege-escalation) + This section covers the following topics: - [Prerequisites](#prerequisites) @@ -16,6 +18,7 @@ This section covers the following topics: - [Creating a custom global role](#creating-a-custom-global-role) - [Deleting a custom global role](#deleting-a-custom-global-role) - [Assigning a custom global role to a group](#assigning-a-custom-global-role-to-a-group) +- [Privilege escalation](#privilege-escalation) # Prerequisites @@ -129,3 +132,9 @@ To assign a custom global role to a group, follow these steps: 1. Click **Create.** **Result:** The custom global role will take effect when the users in the group log into Rancher. + +# Privilege Escalation + +The `Configure Catalogs` custom permission is powerful and should be used with caution. When an admin assigns the `Configure Catalogs` permission to a standard user, it could result in privilege escalation in which the user could give themselves admin access to Rancher provisioned clusters. + +For example, a standard user with the `Configure Catalogs` permission could fork the Rancher [system-charts repository](https://github.com/rancher/system-charts) and add a new version to `rancher-eks-operator` with a ClusterRoleBinding that assigns admin privileges to themselves. After editing the `system-library` catalog in Rancher to the forked version, the standard user would gain administrator access to new EKS clusters. \ No newline at end of file From a5e111fe4443fb02f47bbfe0c10ee948856a6d7a Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 24 Jun 2021 09:50:46 -0700 Subject: [PATCH 13/20] Include 2.5.7 in Rancher versions --- content/rancher/v2.5/_index.md | 2 +- content/rancher/v2.5/en/_index.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/content/rancher/v2.5/_index.md b/content/rancher/v2.5/_index.md index 63cb3d79010..fe8b9384414 100644 --- a/content/rancher/v2.5/_index.md +++ b/content/rancher/v2.5/_index.md @@ -1,5 +1,5 @@ --- -title: Rancher v2.5.8+ (Latest) +title: Rancher 2.5.7-2.5.8+ (Latest) weight: 1 showBreadcrumb: false --- diff --git a/content/rancher/v2.5/en/_index.md b/content/rancher/v2.5/en/_index.md index f64e5407e71..d3faa2ec591 100644 --- a/content/rancher/v2.5/en/_index.md +++ b/content/rancher/v2.5/en/_index.md @@ -1,6 +1,6 @@ --- -title: "Rancher v2.5.8+ (Latest)" -shortTitle: "Rancher v2.5.8+ (Latest)" +title: "Rancher 2.5.7-2.5.8+ (Latest)" +shortTitle: "Rancher 2.5.7-2.5.8+ (Latest)" description: "Rancher adds significant value on top of Kubernetes: managing hundreds of clusters from one interface, centralizing RBAC, enabling monitoring and alerting. Read more." metaTitle: "Rancher 2.x Docs: What is New?" metaDescription: "Rancher 2 adds significant value on top of Kubernetes: managing hundreds of clusters from one interface, centralizing RBAC, enabling monitoring and alerting. Read more." From 7c5ba8f02c2ab50aee59e3ecfd043953c6f50d23 Mon Sep 17 00:00:00 2001 From: Nelson Roberts Date: Thu, 24 Jun 2021 10:40:14 -0700 Subject: [PATCH 14/20] updated guide table and corrected pdf link --- .../v2.5/en/security/rancher-2.5/1.5-hardening-2.5/_index.md | 2 +- content/rancher/v2.x/en/security/_index.md | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/content/rancher/v2.5/en/security/rancher-2.5/1.5-hardening-2.5/_index.md b/content/rancher/v2.5/en/security/rancher-2.5/1.5-hardening-2.5/_index.md index 939089cadae..13e8edb74a1 100644 --- a/content/rancher/v2.5/en/security/rancher-2.5/1.5-hardening-2.5/_index.md +++ b/content/rancher/v2.5/en/security/rancher-2.5/1.5-hardening-2.5/_index.md @@ -13,7 +13,7 @@ This hardening guide is intended to be used for RKE clusters and associated with ----------------|-----------------------|------------------ Rancher v2.5 | Benchmark v1.5 | Kubernetes 1.15 -[Click here to download a PDF version of this document](https://releases.rancher.com/documents/security/2.5/Rancher_Hardening_Guide_CIS_1.6.pdf) +[Click here to download a PDF version of this document](https://releases.rancher.com/documents/security/2.5/Rancher_Hardening_Guide_CIS_1.5.pdf) ### Overview diff --git a/content/rancher/v2.x/en/security/_index.md b/content/rancher/v2.x/en/security/_index.md index c27c4c504ac..e0105e9821c 100644 --- a/content/rancher/v2.x/en/security/_index.md +++ b/content/rancher/v2.x/en/security/_index.md @@ -60,6 +60,7 @@ Each version of the hardening guide is intended to be used with specific version Hardening Guide Version | Rancher Version | CIS Benchmark Version | Kubernetes Version ------------------------|----------------|-----------------------|------------------ +[Hardening Guide v2.5]({{}}/rancher/v2.x/en/security/rancher-2.5/1.6-hardening-2.5/) | Rancher v2.5 | Benchmark v1.6 | Kubernetes v1.18 [Hardening Guide v2.4]({{}}/rancher/v2.x/en/security/hardening-2.4/) | Rancher v2.4 | Benchmark v1.5 | Kubernetes v1.15 [Hardening Guide v2.3.5]({{}}/rancher/v2.x/en/security/hardening-2.3.5/) | Rancher v2.3.5 | Benchmark v1.5 | Kubernetes v1.15 [Hardening Guide v2.3.3]({{}}/rancher/v2.x/en/security/hardening-2.3.3/) | Rancher v2.3.3 | Benchmark v1.4.1 | Kubernetes v1.14, v1.15, and v1.16 @@ -77,6 +78,7 @@ Each version of Rancher's self-assessment guide corresponds to specific versions Self Assessment Guide Version | Rancher Version | Hardening Guide Version | Kubernetes Version | CIS Benchmark Version ---------------------------|----------|---------|-------|----- +[Self Assessment Guide v2.5]({{}}/rancher/v2.x/en/security/rancher-2.5/1.6-benchmark-2.5/) | Rancher v2.5 | Hardening Guide v2.5 | Kubernetes v1.18 | Benchmark v1.6 [Self Assessment Guide v2.4]({{}}/rancher/v2.x/en/security/benchmark-2.4/#cis-kubernetes-benchmark-1-5-0-rancher-2-4-with-kubernetes-1-15) | Rancher v2.4 | Hardening Guide v2.4 | Kubernetes v1.15 | Benchmark v1.5 [Self Assessment Guide v2.3.5]({{}}/rancher/v2.x/en/security/benchmark-2.3.5/#cis-kubernetes-benchmark-1-5-0-rancher-2-3-5-with-kubernetes-1-15) | Rancher v2.3.5 | Hardening Guide v2.3.5 | Kubernetes v1.15 | Benchmark v1.5 [Self Assessment Guide v2.3.3]({{}}/rancher/v2.x/en/security/benchmark-2.3.3/#cis-kubernetes-benchmark-1-4-1-rancher-2-3-3-with-kubernetes-1-16) | Rancher v2.3.3 | Hardening Guide v2.3.3 | Kubernetes v1.16 | Benchmark v1.4.1 From 019f082f6a7711a0976b45c3971041f33fb99dbc Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Thu, 24 Jun 2021 13:58:07 -0700 Subject: [PATCH 15/20] Use K8s 1.20 release channel for RKE2 --- .../installation/resources/k8s-tutorials/ha-rke2/_index.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/content/rancher/v2.5/en/installation/resources/k8s-tutorials/ha-rke2/_index.md b/content/rancher/v2.5/en/installation/resources/k8s-tutorials/ha-rke2/_index.md index 55ed67ad198..715d31f2063 100644 --- a/content/rancher/v2.5/en/installation/resources/k8s-tutorials/ha-rke2/_index.md +++ b/content/rancher/v2.5/en/installation/resources/k8s-tutorials/ha-rke2/_index.md @@ -22,7 +22,7 @@ Rancher needs to be installed on a supported Kubernetes version. To find out whi RKE2 server runs with embedded etcd so you will not need to set up an external datastore to run in HA mode. -1. On the first node, you should set up the configuration file with your own pre-shared secret as the token. The token argument can be set on startup. +On the first node, you should set up the configuration file with your own pre-shared secret as the token. The token argument can be set on startup. If you do not specify a pre-shared secret, RKE2 will generate one and place it at /var/lib/rancher/rke2/server/node-token. @@ -37,8 +37,9 @@ tls-san: - another-kubernetes-domain.com ``` After that you need to run the install command and enable and start rke2: + ``` -curl -sfL https://get.rke2.io | sh - +curl -sfL https://get.rke2.io | INSTALL_RKE2_CHANNEL=v1.20 sh - systemctl enable rke2-server.service systemctl start rke2-server.service ``` From 77c7bc7c3880bf10bc2bbff493eafee9da9edd60 Mon Sep 17 00:00:00 2001 From: William Rizzo <73309415+wrkode@users.noreply.github.com> Date: Fri, 25 Jun 2021 11:13:24 +0200 Subject: [PATCH 16/20] Update requirements_ports_rke.html Adjusted all tables to reflect 10250 effective communications with all nodes for the Metrics server. fix for https://github.com/rancher/docs/issues/3352 --- layouts/shortcodes/requirements_ports_rke.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/layouts/shortcodes/requirements_ports_rke.html b/layouts/shortcodes/requirements_ports_rke.html index 1d5dfdbbb93..fd2597cd473 100644 --- a/layouts/shortcodes/requirements_ports_rke.html +++ b/layouts/shortcodes/requirements_ports_rke.html @@ -41,7 +41,7 @@ TCP 10250 -
  • controlplane nodes
+
  • Metrics server communications wtih all nodes
kubelet @@ -138,7 +138,7 @@ TCP 10250 -
  • controlplane nodes
+
  • Metrics server communications wtih all nodes
kubelet @@ -269,7 +269,7 @@ TCP 10250 -
  • controlplane nodes
+
  • Metrics server communications wtih all nodes
kubelet From 62db1a4337e5cd7d2661e4d49eabddb1e5e124f1 Mon Sep 17 00:00:00 2001 From: William Rizzo <73309415+wrkode@users.noreply.github.com> Date: Fri, 25 Jun 2021 11:26:44 +0200 Subject: [PATCH 17/20] Update requirements_ports_rke.html --- layouts/shortcodes/requirements_ports_rke.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/layouts/shortcodes/requirements_ports_rke.html b/layouts/shortcodes/requirements_ports_rke.html index fd2597cd473..1957b009106 100644 --- a/layouts/shortcodes/requirements_ports_rke.html +++ b/layouts/shortcodes/requirements_ports_rke.html @@ -41,7 +41,7 @@ TCP 10250 -
  • Metrics server communications wtih all nodes
+
  • Metrics server communications with all nodes
kubelet @@ -138,7 +138,7 @@ TCP 10250 -
  • Metrics server communications wtih all nodes
+
  • Metrics server communications with all nodes
kubelet @@ -269,7 +269,7 @@ TCP 10250 -
  • Metrics server communications wtih all nodes
+
  • Metrics server communications with all nodes
kubelet From 448eeaa136522c150700adb8f964c70dba859174 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Mon, 28 Jun 2021 16:37:04 -0700 Subject: [PATCH 18/20] Simplify guidance around configure catalogs permission --- .../en/admin-settings/rbac/default-custom-roles/_index.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/rancher/v2.5/en/admin-settings/rbac/default-custom-roles/_index.md b/content/rancher/v2.5/en/admin-settings/rbac/default-custom-roles/_index.md index e1051f9ae5e..00fd8351c06 100644 --- a/content/rancher/v2.5/en/admin-settings/rbac/default-custom-roles/_index.md +++ b/content/rancher/v2.5/en/admin-settings/rbac/default-custom-roles/_index.md @@ -135,6 +135,4 @@ To assign a custom global role to a group, follow these steps: # Privilege Escalation -The `Configure Catalogs` custom permission is powerful and should be used with caution. When an admin assigns the `Configure Catalogs` permission to a standard user, it could result in privilege escalation in which the user could give themselves admin access to Rancher provisioned clusters. - -For example, a standard user with the `Configure Catalogs` permission could fork the Rancher [system-charts repository](https://github.com/rancher/system-charts) and add a new version to `rancher-eks-operator` with a ClusterRoleBinding that assigns admin privileges to themselves. After editing the `system-library` catalog in Rancher to the forked version, the standard user would gain administrator access to new EKS clusters. \ No newline at end of file +The `Configure Catalogs` custom permission is powerful and should be used with caution. When an admin assigns the `Configure Catalogs` permission to a standard user, it could result in privilege escalation in which the user could give themselves admin access to Rancher provisioned clusters. Anyone with this permission should be considered equivalent to an admin. \ No newline at end of file From 488e3f9432e747265ae1181f725f9034dfa153a5 Mon Sep 17 00:00:00 2001 From: Alex Seymour <9771530+axeal@users.noreply.github.com> Date: Tue, 29 Jun 2021 16:11:12 +0200 Subject: [PATCH 19/20] Update k8s versions in firewalld note --- content/rancher/v2.5/en/installation/requirements/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.5/en/installation/requirements/_index.md b/content/rancher/v2.5/en/installation/requirements/_index.md index b91223043ca..c4308dbb4fe 100644 --- a/content/rancher/v2.5/en/installation/requirements/_index.md +++ b/content/rancher/v2.5/en/installation/requirements/_index.md @@ -42,7 +42,7 @@ All supported operating systems are 64-bit x86. The `ntp` (Network Time Protocol) package should be installed. This prevents errors with certificate validation that can occur when the time is not synchronized between the client and server. -Some distributions of Linux may have default firewall rules that block communication with Helm. We recommend disabling firewalld. For Kubernetes 1.19, firewalld must be turned off. +Some distributions of Linux may have default firewall rules that block communication with Helm. We recommend disabling firewalld. For Kubernetes 1.19 and 1.20, firewalld must be turned off. If you plan to run Rancher on ARM64, see [Running on ARM64 (Experimental).]({{}}/rancher/v2.5/en/installation/options/arm64-platform/) From 677e59658e46c5825151124d0f6c1e1f93ea88f4 Mon Sep 17 00:00:00 2001 From: papanito Date: Wed, 30 Jun 2021 11:01:40 +0200 Subject: [PATCH 20/20] feat: enhance installation requirements for issue rancher/#28840 --- .../en/installation/requirements/_index.md | 36 +++++++++++-------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/content/rancher/v2.5/en/installation/requirements/_index.md b/content/rancher/v2.5/en/installation/requirements/_index.md index c4308dbb4fe..9e2a6be96bf 100644 --- a/content/rancher/v2.5/en/installation/requirements/_index.md +++ b/content/rancher/v2.5/en/installation/requirements/_index.md @@ -11,18 +11,26 @@ This page describes the software, hardware, and networking requirements for the Make sure the node(s) for the Rancher server fulfill the following requirements: - [Operating Systems and Container Runtime Requirements](#operating-systems-and-container-runtime-requirements) + - [RKE Specific Requirements](#rke-specific-requirements) + - [K3s Specific Requirements](#k3s-specific-requirements) + - [RancherD Specific Requirements](#rancherd-specific-requirements) + - [RKE2 Specific Requirements](#rke2-specific-requirements) + - [Installing Docker](#installing-docker) - [Hardware Requirements](#hardware-requirements) - [CPU and Memory](#cpu-and-memory) - - [RKE and Hosted Kubernetes](#rke-and-hosted-kubernetes) - - [K3s Kubernetes](#k3s-kubernetes) - - [RancherD](#rancherd) - - [RKE2](#rke2-kubernetes) - - [CPU and Memory for Rancher before v2.4.0](#cpu-and-memory-for-rancher-before-v2-4-0) + - [RKE and Hosted Kubernetes](#rke-and-hosted-kubernetes) + - [K3s Kubernetes](#k3s-kubernetes) + - [RancherD](#rancherd) + - [RKE2 Kubernetes](#rke2-kubernetes) + - [Docker](#docker) - [Ingress](#ingress) + - [Ingress for RKE2](#ingress-for-rke2) + - [Ingress for EKS](#ingress-for-eks) - [Disks](#disks) - [Networking Requirements](#networking-requirements) - - [Node IP Addresses](#node-ip-addresses) - - [Port Requirements](#port-requirements) + - [Node IP Addresses](#node-ip-addresses) + - [Port Requirements](#port-requirements) +- [RancherD on SELinux Enforcing CentOS 8 or RHEL 8 Nodes](#rancherd-on-selinux-enforcing-centos-8-or-rhel-8-nodes) For a list of best practices that we recommend for running the Rancher server in production, refer to the [best practices section.]({{}}/rancher/v2.5/en/best-practices/deployment-types/) @@ -44,6 +52,8 @@ The `ntp` (Network Time Protocol) package should be installed. This prevents err Some distributions of Linux may have default firewall rules that block communication with Helm. We recommend disabling firewalld. For Kubernetes 1.19 and 1.20, firewalld must be turned off. +> If you don't feel comfortable doing so you might check suggestions in the [respective issue](https://github.com/rancher/rancher/issues/28840). Some users were successful [creating a separate firewalld zone with a policy of ACCEPT for the Pod CIDR](https://github.com/rancher/rancher/issues/28840#issuecomment-787404822). + If you plan to run Rancher on ARM64, see [Running on ARM64 (Experimental).]({{}}/rancher/v2.5/en/installation/options/arm64-platform/) ### RKE Specific Requirements @@ -62,9 +72,9 @@ If you are installing Rancher on a K3s cluster with Alpine Linux, follow [these ### RancherD Specific Requirements -_The RancherD install is available as of v2.5.4. It is an experimental feature._ +_The RancherD install is available as of v2.5.4. It is an experimental feature._ -At this time, only Linux OSes that leverage systemd are supported. +At this time, only Linux OSes that leverage systemd are supported. To install RancherD on SELinux Enforcing CentOS 8 or RHEL 8 nodes, some [additional steps](#rancherd-on-selinux-enforcing-centos-8-or-rhel-8-nodes) are required. @@ -99,8 +109,6 @@ These CPU and memory requirements apply to each host in the Kubernetes cluster w These requirements apply to RKE Kubernetes clusters, as well as to hosted Kubernetes clusters such as EKS. - - | Deployment Size | Clusters | Nodes | vCPUs | RAM | | --------------- | ---------- | ------------ | -------| ------- | | Small | Up to 150 | Up to 1500 | 2 | 8 GB | @@ -109,7 +117,7 @@ These requirements apply to RKE Kubernetes clusters, as well as to hosted Kubern | X-Large | Up to 1000 | Up to 10,000 | 16 | 64 GB | | XX-Large | Up to 2000 | Up to 20,000 | 32 | 128 GB | -[Contact Rancher](https://rancher.com/contact/) for more than 2000 clusters and/or 20,000 nodes. +[Contact Rancher](https://rancher.com/contact/) for more than 2000 clusters and/or 20,000 nodes. ### K3s Kubernetes @@ -123,7 +131,7 @@ These CPU and memory requirements apply to each host in a [K3s Kubernetes cluste | X-Large | Up to 1000 | Up to 10,000 | 16 | 64 GB | 2 cores, 4 GB + 1000 IOPS | | XX-Large | Up to 2000 | Up to 20,000 | 32 | 128 GB | 2 cores, 4 GB + 1000 IOPS | -[Contact Rancher](https://rancher.com/contact/) for more than 2000 clusters and/or 20,000 nodes. +[Contact Rancher](https://rancher.com/contact/) for more than 2000 clusters and/or 20,000 nodes. ### RancherD @@ -189,7 +197,7 @@ To operate properly, Rancher requires a number of ports to be open on Rancher no # RancherD on SELinux Enforcing CentOS 8 or RHEL 8 Nodes -Before installing Rancher on SELinux Enforcing CentOS 8 nodes or RHEL 8 nodes, you must install `container-selinux` and `iptables`: +Before installing Rancher on SELinux Enforcing CentOS 8 nodes or RHEL 8 nodes, you must install `container-selinux` and `iptables`: ``` sudo yum install iptables