From 826ae8e86c74ebee807fa48d52cec8989446e2a3 Mon Sep 17 00:00:00 2001 From: Jonathan Crowther Date: Mon, 17 Feb 2025 13:25:07 -0500 Subject: [PATCH 1/4] Add documentation for aggregated clusterroles --- .../installation-references/feature-flags.md | 2 ++ .../cluster-role-aggregation.md | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 docs/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md diff --git a/docs/getting-started/installation-and-upgrade/installation-references/feature-flags.md b/docs/getting-started/installation-and-upgrade/installation-references/feature-flags.md index 969252b53e9..0a3fa8e2281 100644 --- a/docs/getting-started/installation-and-upgrade/installation-references/feature-flags.md +++ b/docs/getting-started/installation-and-upgrade/installation-references/feature-flags.md @@ -18,6 +18,7 @@ Some feature flags require a restart of the Rancher container. Features that req The following is a list of feature flags available in Rancher. If you've upgraded from a previous Rancher version, you may see additional flags in the Rancher UI, such as `proxy` or `dashboard` (both [discontinued](https://github.com/rancher/rancher-docs/tree/main/archived_docs/en/version-2.5/reference-guides/installation-references/feature-flags.md)): +- `aggregated-roletemplates`: Use cluster role aggregation architecture for RoleTemplates, ProjectRoleTemplateBindings, and ClusterRoleTemplateBindings. See [Cluster Role Aggregation](../../../how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md) for more information. - `clean-stale-secrets`: Removes stale secrets from the `cattle-impersonation-system` namespace. This slowly cleans up old secrets which are no longer being used by the impersonation system. - `continuous-delivery`: Allows Fleet GitOps to be disabled separately from Fleet. See [Continuous Delivery.](../../../how-to-guides/advanced-user-guides/enable-experimental-features/continuous-delivery.md) for more information. - `fleet`: The Rancher provisioning framework in v2.6 and later requires Fleet. The flag will be automatically enabled when you upgrade, even if you disabled this flag in an earlier version of Rancher. See [Continuous Delivery with Fleet](../../../integrations-in-rancher/fleet/fleet.md) for more information. @@ -38,6 +39,7 @@ The following table shows the availability and default values for some feature f | Feature Flag Name | Default Value | Status | Available As Of | Additional Information | | ----------------------------- | ------------- | ------------ | --------------- | ---------------------- | +| `aggregated-roletemplates | `false` | Highly experimentatl | v2.11.0 | This flag value is locked on install and can't be changed. | | `clean-stale-secrets` | `true` | GA | v2.10.2 | | | `continuous-delivery` | `true` | GA | v2.6.0 | | | `external-rules` | v2.7.14: `false`, v2.8.5: `true` | Removed | v2.7.14, v2.8.5 | This flag affected [external `RoleTemplate` behavior](../../../how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/manage-role-based-access-control-rbac/cluster-and-project-roles.md#external-roletemplate-behavior). It is removed in Rancher v2.9.0 and later as the behavior is enabled by default. | diff --git a/docs/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md b/docs/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md new file mode 100644 index 00000000000..7b11c57a96a --- /dev/null +++ b/docs/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md @@ -0,0 +1,19 @@ +--- +title: ClusterRole Aggregation +--- + + + + + +:::caution +ClusterRole Aggregation is a highly experimental feature that changes the RBAC architecture used for RoleTemplates, ClusterRoleTemplateBindings and ProjectRoleTemplateBindings. **Not supported for production environments**. Meant exclusively for internal testing in v2.11. Expected to be available as a beta for users in v2.12 with a prospective GA in Rancher v2.13. +::: + +ClusterRole aggregation implements RoleTemplates, ClusterRoleTemplateBindings and ProjectRoleTemplateBindings using the Kubernetes feature [Aggregated ClusterRoles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles). The new architecture results in a net reduction in RBAC objects (Roles, RoleBindings, ClusterRoles and ClusterRoleBindings) both in the Rancher cluster and the downstream clusters. + +Environment Variable Key | Default Value | Description +--- | --- | --- +`aggregated-roletemplates` | `false` | [Experimental] Make RoleTemplates use aggregation for generated RBAC roles + +The value of this feature flag is locked on install, which shows up in the UI as a lock symbol beside the feature flag. That means the feature can only be set on the first ever installation of Rancher. After that, attempting to modify the value will be denied. From d0a35e1a3e7aaa3aab30d53237de085500e6441c Mon Sep 17 00:00:00 2001 From: Jonathan Crowther Date: Mon, 17 Mar 2025 13:53:07 -0400 Subject: [PATCH 2/4] Missing quote --- .../installation-references/feature-flags.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/installation-and-upgrade/installation-references/feature-flags.md b/docs/getting-started/installation-and-upgrade/installation-references/feature-flags.md index 0a3fa8e2281..9af792a8a1d 100644 --- a/docs/getting-started/installation-and-upgrade/installation-references/feature-flags.md +++ b/docs/getting-started/installation-and-upgrade/installation-references/feature-flags.md @@ -39,7 +39,7 @@ The following table shows the availability and default values for some feature f | Feature Flag Name | Default Value | Status | Available As Of | Additional Information | | ----------------------------- | ------------- | ------------ | --------------- | ---------------------- | -| `aggregated-roletemplates | `false` | Highly experimentatl | v2.11.0 | This flag value is locked on install and can't be changed. | +| `aggregated-roletemplates` | `false` | Highly experimentatl | v2.11.0 | This flag value is locked on install and can't be changed. | | `clean-stale-secrets` | `true` | GA | v2.10.2 | | | `continuous-delivery` | `true` | GA | v2.6.0 | | | `external-rules` | v2.7.14: `false`, v2.8.5: `true` | Removed | v2.7.14, v2.8.5 | This flag affected [external `RoleTemplate` behavior](../../../how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/manage-role-based-access-control-rbac/cluster-and-project-roles.md#external-roletemplate-behavior). It is removed in Rancher v2.9.0 and later as the behavior is enabled by default. | From 81c14ffd09951c906bd268baeed3e6b52400f4ec Mon Sep 17 00:00:00 2001 From: Jonathan Crowther Date: Wed, 19 Mar 2025 09:41:47 -0400 Subject: [PATCH 3/4] Fix some wording --- .../cluster-role-aggregation.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md b/docs/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md index 7b11c57a96a..b28f285bb72 100644 --- a/docs/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md +++ b/docs/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md @@ -7,13 +7,13 @@ title: ClusterRole Aggregation :::caution -ClusterRole Aggregation is a highly experimental feature that changes the RBAC architecture used for RoleTemplates, ClusterRoleTemplateBindings and ProjectRoleTemplateBindings. **Not supported for production environments**. Meant exclusively for internal testing in v2.11. Expected to be available as a beta for users in v2.12 with a prospective GA in Rancher v2.13. +ClusterRole aggregation is a highly experimental feature that changes the RBAC architecture used for RoleTemplates, ClusterRoleTemplateBindings and ProjectRoleTemplateBindings. **It is not supported for production environments**. This feature is meant exclusively for internal testing in v2.11. It is expected to be available as a beta for users in v2.12 with a prospective GA in Rancher v2.13. ::: ClusterRole aggregation implements RoleTemplates, ClusterRoleTemplateBindings and ProjectRoleTemplateBindings using the Kubernetes feature [Aggregated ClusterRoles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles). The new architecture results in a net reduction in RBAC objects (Roles, RoleBindings, ClusterRoles and ClusterRoleBindings) both in the Rancher cluster and the downstream clusters. -Environment Variable Key | Default Value | Description ---- | --- | --- -`aggregated-roletemplates` | `false` | [Experimental] Make RoleTemplates use aggregation for generated RBAC roles +| Environment Variable Key | Default Value | Description | +| --- | --- | --- | +| `aggregated-roletemplates` | `false` | [Experimental] Make RoleTemplates use aggregation for generated RBAC roles. | -The value of this feature flag is locked on install, which shows up in the UI as a lock symbol beside the feature flag. That means the feature can only be set on the first ever installation of Rancher. After that, attempting to modify the value will be denied. +The value of this feature flag is locked on installation, which shows up in the UI as a lock symbol beside the feature flag. That means the feature can only be set on the first ever installation of Rancher. After that, attempting to modify the value will be denied. From d55be97e14cb08e6fdb8b93f55e3ef5e326edc25 Mon Sep 17 00:00:00 2001 From: Jonathan Crowther Date: Wed, 19 Mar 2025 09:46:07 -0400 Subject: [PATCH 4/4] Added versioned docs and sidebar --- sidebars.js | 1 + .../installation-references/feature-flags.md | 2 ++ .../cluster-role-aggregation.md | 19 +++++++++++++++++++ versioned_sidebars/version-2.11-sidebars.json | 3 ++- 4 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 versioned_docs/version-2.11/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md diff --git a/sidebars.js b/sidebars.js index 3e636d11f0b..e9e1733089d 100644 --- a/sidebars.js +++ b/sidebars.js @@ -796,6 +796,7 @@ const sidebars = { "how-to-guides/advanced-user-guides/enable-experimental-features/unsupported-storage-drivers", "how-to-guides/advanced-user-guides/enable-experimental-features/istio-traffic-management-features", "how-to-guides/advanced-user-guides/enable-experimental-features/continuous-delivery", + "how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation", ] }, "how-to-guides/advanced-user-guides/open-ports-with-firewalld", diff --git a/versioned_docs/version-2.11/getting-started/installation-and-upgrade/installation-references/feature-flags.md b/versioned_docs/version-2.11/getting-started/installation-and-upgrade/installation-references/feature-flags.md index 969252b53e9..9af792a8a1d 100644 --- a/versioned_docs/version-2.11/getting-started/installation-and-upgrade/installation-references/feature-flags.md +++ b/versioned_docs/version-2.11/getting-started/installation-and-upgrade/installation-references/feature-flags.md @@ -18,6 +18,7 @@ Some feature flags require a restart of the Rancher container. Features that req The following is a list of feature flags available in Rancher. If you've upgraded from a previous Rancher version, you may see additional flags in the Rancher UI, such as `proxy` or `dashboard` (both [discontinued](https://github.com/rancher/rancher-docs/tree/main/archived_docs/en/version-2.5/reference-guides/installation-references/feature-flags.md)): +- `aggregated-roletemplates`: Use cluster role aggregation architecture for RoleTemplates, ProjectRoleTemplateBindings, and ClusterRoleTemplateBindings. See [Cluster Role Aggregation](../../../how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md) for more information. - `clean-stale-secrets`: Removes stale secrets from the `cattle-impersonation-system` namespace. This slowly cleans up old secrets which are no longer being used by the impersonation system. - `continuous-delivery`: Allows Fleet GitOps to be disabled separately from Fleet. See [Continuous Delivery.](../../../how-to-guides/advanced-user-guides/enable-experimental-features/continuous-delivery.md) for more information. - `fleet`: The Rancher provisioning framework in v2.6 and later requires Fleet. The flag will be automatically enabled when you upgrade, even if you disabled this flag in an earlier version of Rancher. See [Continuous Delivery with Fleet](../../../integrations-in-rancher/fleet/fleet.md) for more information. @@ -38,6 +39,7 @@ The following table shows the availability and default values for some feature f | Feature Flag Name | Default Value | Status | Available As Of | Additional Information | | ----------------------------- | ------------- | ------------ | --------------- | ---------------------- | +| `aggregated-roletemplates` | `false` | Highly experimentatl | v2.11.0 | This flag value is locked on install and can't be changed. | | `clean-stale-secrets` | `true` | GA | v2.10.2 | | | `continuous-delivery` | `true` | GA | v2.6.0 | | | `external-rules` | v2.7.14: `false`, v2.8.5: `true` | Removed | v2.7.14, v2.8.5 | This flag affected [external `RoleTemplate` behavior](../../../how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/manage-role-based-access-control-rbac/cluster-and-project-roles.md#external-roletemplate-behavior). It is removed in Rancher v2.9.0 and later as the behavior is enabled by default. | diff --git a/versioned_docs/version-2.11/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md b/versioned_docs/version-2.11/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md new file mode 100644 index 00000000000..b28f285bb72 --- /dev/null +++ b/versioned_docs/version-2.11/how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation.md @@ -0,0 +1,19 @@ +--- +title: ClusterRole Aggregation +--- + + + + + +:::caution +ClusterRole aggregation is a highly experimental feature that changes the RBAC architecture used for RoleTemplates, ClusterRoleTemplateBindings and ProjectRoleTemplateBindings. **It is not supported for production environments**. This feature is meant exclusively for internal testing in v2.11. It is expected to be available as a beta for users in v2.12 with a prospective GA in Rancher v2.13. +::: + +ClusterRole aggregation implements RoleTemplates, ClusterRoleTemplateBindings and ProjectRoleTemplateBindings using the Kubernetes feature [Aggregated ClusterRoles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles). The new architecture results in a net reduction in RBAC objects (Roles, RoleBindings, ClusterRoles and ClusterRoleBindings) both in the Rancher cluster and the downstream clusters. + +| Environment Variable Key | Default Value | Description | +| --- | --- | --- | +| `aggregated-roletemplates` | `false` | [Experimental] Make RoleTemplates use aggregation for generated RBAC roles. | + +The value of this feature flag is locked on installation, which shows up in the UI as a lock symbol beside the feature flag. That means the feature can only be set on the first ever installation of Rancher. After that, attempting to modify the value will be denied. diff --git a/versioned_sidebars/version-2.11-sidebars.json b/versioned_sidebars/version-2.11-sidebars.json index 394116ed4be..6a603a8a71d 100644 --- a/versioned_sidebars/version-2.11-sidebars.json +++ b/versioned_sidebars/version-2.11-sidebars.json @@ -759,7 +759,8 @@ "how-to-guides/advanced-user-guides/enable-experimental-features/rancher-on-arm64", "how-to-guides/advanced-user-guides/enable-experimental-features/unsupported-storage-drivers", "how-to-guides/advanced-user-guides/enable-experimental-features/istio-traffic-management-features", - "how-to-guides/advanced-user-guides/enable-experimental-features/continuous-delivery" + "how-to-guides/advanced-user-guides/enable-experimental-features/continuous-delivery", + "how-to-guides/advanced-user-guides/enable-experimental-features/cluster-role-aggregation" ] }, "how-to-guides/advanced-user-guides/open-ports-with-firewalld",