From 928f57330414b55b3dd4e67cfd56a354e4258706 Mon Sep 17 00:00:00 2001 From: Billy Tat Date: Mon, 9 Aug 2021 16:44:37 -0700 Subject: [PATCH] Revert "Document Rancher image vulnerability scanning" --- content/rancher/v2.6/en/istio/_index.md | 42 +++++++++------ .../rancher/v2.6/en/istio/migrating/_index.md | 27 ---------- content/rancher/v2.6/en/pipelines/_index.md | 2 +- content/rancher/v2.6/en/security/_index.md | 5 -- .../v2.6/en/security/cve-scans/_index.md | 54 ------------------- 5 files changed, 28 insertions(+), 102 deletions(-) delete mode 100644 content/rancher/v2.6/en/istio/migrating/_index.md delete mode 100644 content/rancher/v2.6/en/security/cve-scans/_index.md diff --git a/content/rancher/v2.6/en/istio/_index.md b/content/rancher/v2.6/en/istio/_index.md index 2a7b02876e7..db536318780 100644 --- a/content/rancher/v2.6/en/istio/_index.md +++ b/content/rancher/v2.6/en/istio/_index.md @@ -7,20 +7,6 @@ aliases: [Istio](https://istio.io/) is an open-source tool that makes it easier for DevOps teams to observe, secure, control, and troubleshoot the traffic within a complex network of microservices. -> If you are still using Istio v1, installed with the legacy Cluster Manager, we recommend migrating to Istio v2 by following [these steps.](./migrating/#migrating-istio) Istio v1 (1.5.920) will receive limited security updates should no longer be used. The images for Istio 1.5.920 should not be downloaded unless upgrading Istio is not feasible. - -- [Overview](#overview) -- [Tools Bundled with Istio](#tools-bundled-with-istio) -- [Prerequisites](#prerequisites) -- [Setup Guide](#setup-guide) -- [Remove Istio](#remove-istio) -- [Migrate from Previous Istio Version](#migrate-from-previous-istio-version) -- [Accessing Visualizations](#accessing-visualizations) -- [Architecture](#architecture) -- [Additional steps for installing Istio on an RKE2 cluster](#additional-steps-for-installing-istio-on-an-rke2-cluster) - -# Overview - As a network of microservices changes and grows, the interactions between them can become increasingly difficult to manage and understand. In such a situation, it is useful to have a service mesh as a separate infrastructure layer. Istio's service mesh lets you manipulate traffic between microservices without changing the microservices directly. Our integration of Istio is designed so that a Rancher operator, such as an administrator or cluster owner, can deliver Istio to a team of developers. Then developers can use Istio to enforce security policies, troubleshoot problems, or manage traffic for green/blue deployments, canary deployments, or A/B testing. @@ -35,6 +21,28 @@ After [setting up istio]({{}}/rancher/v2.6/en/cluster-admin/tools/istio Istio needs to be set up by a `cluster-admin` before it can be used in a project. +- [What's New in Rancher v2.5](#what-s-new-in-rancher-v2-5) +- [Tools Bundled with Istio](#tools-bundled-with-istio) +- [Prerequisites](#prerequisites) +- [Setup Guide](#setup-guide) +- [Remove Istio](#remove-istio) +- [Migrate from Previous Istio Version](#migrate-from-previous-istio-version) +- [Accessing Visualizations](#accessing-visualizations) +- [Architecture](#architecture) +- [Additional steps for installing Istio on an RKE2 cluster](#additional-steps-for-installing-istio-on-an-rke2-cluster) + +# What's New in Rancher v2.5 + +The overall architecture of Istio has been simplified. A single component, Istiod, has been created by combining Pilot, Citadel, Galley and the sidecar injector. Node Agent functionality has also been merged into istio-agent. + +Addons that were previously installed by Istio (cert-manager, Grafana, Jaeger, Kiali, Prometheus, Zipkin) will now need to be installed separately. Istio will support installation of integrations that are from the Istio Project and will maintain compatibility with those that are not. + +A Prometheus integration will still be available through an installation of [Rancher Monitoring]({{}}/rancher/v2.6/en/monitoring-alerting/), or by installing your own Prometheus operator. Rancher's Istio chart will also install Kiali by default to ensure you can get a full picture of your microservices out of the box. + +Istio has migrated away from Helm as a way to install Istio and now provides installation through the istioctl binary or Istio Operator. To ensure the easiest interaction with Istio, Rancher's Istio will maintain a Helm chart that utilizes the istioctl binary to manage your Istio installation. + +This Helm chart will be available via the Apps and Marketplace in the UI. A user that has access to the Rancher Chart's catalog will need to set up Istio before it can be used in the project. + # Tools Bundled with Istio Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy Helm chart, including an overlay file option to allow complex customization. @@ -71,7 +79,11 @@ To remove Istio components from a cluster, namespace, or workload, refer to the # Migrate From Previous Istio Version -For details on migrating from Istio v1 installed with the legacy Cluster Manager, see [this page.](./migrating) +There is no upgrade path for Istio versions less than 1.7.x. To successfully install Istio in the **Cluster Explorer**, you will need to disable your existing Istio in the **Cluster Manager**. + +If you have a significant amount of additional Istio CRDs you might consider manually migrating CRDs that are supported in both versions of Istio. You can do this by running `kubectl get -n istio-system -o yaml`, save the output yaml and re-apply in the new version. + +Another option is to manually uninstall istio resources one at a time, but leave the resources that are supported in both versions of Istio and that will not be installed by the newest version. This method is more likely to result in issues installing the new version, but could be a good option depending on your situation. # Accessing Visualizations diff --git a/content/rancher/v2.6/en/istio/migrating/_index.md b/content/rancher/v2.6/en/istio/migrating/_index.md deleted file mode 100644 index 4bc768803b4..00000000000 --- a/content/rancher/v2.6/en/istio/migrating/_index.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: Migrating from Previous Istio Version -weight: 7 ---- - -- [New in Rancher v2.5](#new-in-rancher-v2-5) -- [Migrating Istio](#migrating-istio) - -# New in Rancher v2.5 - -The overall architecture of Istio has been simplified. A single component, Istiod, has been created by combining Pilot, Citadel, Galley and the sidecar injector. Node Agent functionality has also been merged into istio-agent. - -Addons that were previously installed by Istio (cert-manager, Grafana, Jaeger, Kiali, Prometheus, Zipkin) will now need to be installed separately. Istio will support installation of integrations that are from the Istio Project and will maintain compatibility with those that are not. - -A Prometheus integration will still be available through an installation of [Rancher Monitoring]({{}}/rancher/v2.6/en/monitoring-alerting/), or by installing your own Prometheus operator. Rancher's Istio chart will also install Kiali by default to ensure you can get a full picture of your microservices out of the box. - -Istio has migrated away from Helm as a way to install Istio and now provides installation through the istioctl binary or Istio Operator. To ensure the easiest interaction with Istio, Rancher's Istio will maintain a Helm chart that utilizes the istioctl binary to manage your Istio installation. - -This Helm chart will be available via the Apps and Marketplace in the UI. A user that has access to the Rancher Chart's catalog will need to set up Istio before it can be used in the project. - -# Migrating Istio - -There is no upgrade path for Istio versions less than 1.7.x. To successfully install Istio in the **Cluster Explorer**, you will need to disable your existing Istio in the **Cluster Manager**. - -If you have a significant amount of additional Istio CRDs you might consider manually migrating CRDs that are supported in both versions of Istio. You can do this by running `kubectl get -n istio-system -o yaml`, save the output yaml and re-apply in the new version. - -Another option is to manually uninstall istio resources one at a time, but leave the resources that are supported in both versions of Istio and that will not be installed by the newest version. This method is more likely to result in issues installing the new version, but could be a good option depending on your situation. \ No newline at end of file diff --git a/content/rancher/v2.6/en/pipelines/_index.md b/content/rancher/v2.6/en/pipelines/_index.md index d87d5cad801..4cec6a34a2e 100644 --- a/content/rancher/v2.6/en/pipelines/_index.md +++ b/content/rancher/v2.6/en/pipelines/_index.md @@ -5,7 +5,7 @@ aliases: - /rancher/v2.6/en/k8s-in-rancher/pipelines --- -> As of Rancher v2.5, Git-based deployment pipelines are now recommended to be handled with Rancher Continuous Delivery powered by [Fleet,]({{}}/rancher/v2.6/en/deploy-across-clusters/fleet) available in Cluster Explorer. Pipelines will receive only critical CVE fixes. They should be used only if migrating to Fleet is not feasible. +> As of Rancher v2.5, Git-based deployment pipelines are now recommended to be handled with Rancher Continuous Delivery powered by [Fleet,]({{}}/rancher/v2.6/en/deploy-across-clusters/fleet) available in Cluster Explorer. Rancher's pipeline provides a simple CI/CD experience. Use it to automatically checkout code, run builds or scripts, publish Docker images or catalog applications, and deploy the updated software to users. diff --git a/content/rancher/v2.6/en/security/_index.md b/content/rancher/v2.6/en/security/_index.md index c32ec82864a..916ef9284ff 100644 --- a/content/rancher/v2.6/en/security/_index.md +++ b/content/rancher/v2.6/en/security/_index.md @@ -30,7 +30,6 @@ On this page, we provide security-related documentation along with resources to - [The CIS Benchmark and self-assessment](#the-cis-benchmark-and-self-assessment) - [Third-party penetration test reports](#third-party-penetration-test-reports) - [Rancher CVEs and resolutions](#rancher-cves-and-resolutions) -- [Rancher image vulnerability scanning](#rancher-image-vulnerability-scanning) ### Running a CIS Security Scan on a Kubernetes Cluster @@ -84,7 +83,3 @@ Results: ### Rancher CVEs and Resolutions Rancher is committed to informing the community of security issues in our products. For the list of CVEs (Common Vulnerabilities and Exposures) for issues we have resolved, refer to [this page.](./cve) - -### Rancher Image Vulnerability Scanning - -Rancher shares security scan results for the images in a Rancher release. This information includes CVE (Common Vulnerabilities and Exposures) IDs, status, notes or remediation plans where available. For more information, see [this page.](./cve-scans) \ No newline at end of file diff --git a/content/rancher/v2.6/en/security/cve-scans/_index.md b/content/rancher/v2.6/en/security/cve-scans/_index.md deleted file mode 100644 index 10d1589682d..00000000000 --- a/content/rancher/v2.6/en/security/cve-scans/_index.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: Rancher Image Vulnerability Scanning -weight: 5 ---- - -Rancher shares security scan results for the images in a Rancher release. This information includes CVE (Common Vulnerabilities and Exposures) IDs, status, notes or remediation plans where available. - -The CVE scanning process, introduced in Rancher v2.6, reduces the patching cycle time of Rancher images. - -- [Scope](#scope) -- [Scanning Tool](#scanning-tool) -- [Reporting Scan Results](#reporting-scan-results) -- [Addressing Vulnerabilities](#addressing-vulnerabilities) - -# Scope - -The CVE scan includes all images shipped with Rancher releases, which are listed in the `rancher-images.txt` file included with every release. This list includes all core Rancher components and features. The published list of CVEs covers the latest development version of Rancher v2.6 and the catalog charts for the Rancher version. - -The `rancher-images-sources.txt` file also includes the images, along with an annotation indicating what Rancher feature uses the image. - -# Scanning Tool - -Rancher images are scanned with [Trivy,](https://github.com/aquasecurity/trivy) tool from Aqua Security. Other image scanning tools may yield different results. - -# Reporting Scan Results - -The CVE scan report lists any image containing a CVE that is ranked by our scanning tool with a rating of `HIGH` or above. - -The report is provided in CSV format with each Rancher release. It is also available on a publicly accessible web page. This web page is updated daily. - -For each image listed in the scan report, the following information is listed: - -- Image name -- CVE ID -- Severity level -- Package name -- Status of patch - - For mirrored images, the current upstream state is used - - For Rancher images, the status in the Rancher pipeline is used - -# Addressing Vulnerabilities - -As new CVEs are reported, or new images with high or critical severity CVEs are brought into the pipeline, the Rancher team is automatically alerted and triages each vulnerability. - -Rancher addresses vulnerabilities differently depending on whether the image is mirrored from a community project or maintained by Rancher. Depending on the context and the situation, the vulnerabilities will either be fixed, or will be noted as false positives, or will be noted as not able to be fixed. - -Some Rancher features will not receive security updates, or will receive limited ones. For details, see [this section](#features-with-limited-security-updates) - -### Features with Limited Security Updates - -The following features will receive limited or no security updates: - -- Cluster Manager's Istio, which ended with upstream version 1.5, should no longer be used as it hit end-of-life on August 21 2020. We recommend using the newer versions of Istio from the Cluster Explorer. The images for Istio 1.5 should not be downloaded unless upgrading Istio is not feasible. -- Pipelines were deprecated as of Rancher v2.5 and should no longer be used. The pipelines feature will receive only critical CVE fixes. We recommend handling Git-based deployment pipelines with [Fleet.]({{}}/rancher/v2.6/en/deploy-across-clusters/fleet)