mirror of
https://github.com/rancher/rancher-docs.git
synced 2026-03-14 13:24:12 +00:00
Merge pull request #2224 from sunilarjun/update-ns
Updating ns exemptions
This commit is contained in:
Sunil Singh
GitHub
@@ -12,28 +12,50 @@ plugins:
|
||||
warn-version: latest
|
||||
exemptions:
|
||||
namespaces:
|
||||
- ingress-nginx
|
||||
- kube-system
|
||||
- cattle-system
|
||||
- cattle-epinio-system
|
||||
- cattle-fleet-system
|
||||
- cattle-fleet-local-system
|
||||
- longhorn-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-monitoring-system
|
||||
- rancher-alerting-drivers
|
||||
- cis-operator-system
|
||||
- calico-apiserver
|
||||
- calico-system
|
||||
- cattle-alerting
|
||||
- cattle-capi-system
|
||||
- cattle-csp-adapter-system
|
||||
- cattle-elemental-system
|
||||
- cattle-epinio-system
|
||||
- cattle-externalip-system
|
||||
- cattle-fleet-local-system
|
||||
- cattle-fleet-system
|
||||
- cattle-gatekeeper-system
|
||||
- istio-system
|
||||
- cattle-global-data
|
||||
- cattle-global-nt
|
||||
- cattle-impersonation-system
|
||||
- cattle-istio
|
||||
- cattle-istio-system
|
||||
- cattle-logging
|
||||
- cattle-logging-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cattle-sriov-system
|
||||
- cattle-ui-plugin-system
|
||||
- tigera-operator
|
||||
- cattle-monitoring-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-prometheus
|
||||
- cattle-provisioning-capi-system
|
||||
- cattle-resources-system
|
||||
- cattle-sriov-system
|
||||
- cattle-system
|
||||
- cattle-turtles-system
|
||||
- cattle-ui-plugin-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cert-manager
|
||||
- cis-operator-system
|
||||
- compliance-operator-system
|
||||
- fleet-default
|
||||
- fleet-local
|
||||
- istio-system
|
||||
- kube-node-lease
|
||||
- kube-public
|
||||
- kube-system
|
||||
- longhorn-system
|
||||
- rancher-alerting-drivers
|
||||
- rancher-compliance-system
|
||||
- security-scan
|
||||
- sr-operator-system
|
||||
- tigera-operator
|
||||
- traefik
|
||||
kind: PodSecurityConfiguration
|
||||
name: PodSecurity
|
||||
path: ""
|
||||
|
||||
@@ -91,6 +91,7 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit
|
||||
- `calico-apiserver`
|
||||
- `calico-system`
|
||||
- `cattle-alerting`
|
||||
- `cattle-capi-system`
|
||||
- `cattle-csp-adapter-system`
|
||||
- `cattle-elemental-system`
|
||||
- `cattle-epinio-system`
|
||||
@@ -112,22 +113,25 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit
|
||||
- `cattle-resources-system`
|
||||
- `cattle-sriov-system`
|
||||
- `cattle-system`
|
||||
- `cattle-turtles-system`
|
||||
- `cattle-ui-plugin-system`
|
||||
- `cattle-windows-gmsa-system`
|
||||
- `cert-manager`
|
||||
- `cis-operator-system`
|
||||
- `compliance-operator-system`
|
||||
- `fleet-default`
|
||||
- `fleet-local`
|
||||
- `ingress-nginx`
|
||||
- `istio-system`
|
||||
- `kube-node-lease`
|
||||
- `kube-public`
|
||||
- `kube-system`
|
||||
- `longhorn-system`
|
||||
- `rancher-alerting-drivers`
|
||||
- `rancher-compliance-system`
|
||||
- `security-scan`
|
||||
- `sr-operator-system`
|
||||
- `tigera-operator`
|
||||
- `traefik`
|
||||
|
||||
Rancher, some Rancher owned charts, and RKE2 and K3s distributions all use these namespaces. A subset of the listed namespaces are already exempt in the built-in Rancher `rancher-restricted` policy, for use in downstream clusters. For a complete template which has all the exemptions you need to run Rancher, please refer to this [sample Admission Configuration](../../../reference-guides/rancher-security/psa-restricted-exemptions.md).
|
||||
|
||||
|
||||
@@ -24,46 +24,51 @@ plugins:
|
||||
warn: "restricted"
|
||||
warn-version: "latest"
|
||||
exemptions:
|
||||
usernames: []
|
||||
namespaces:
|
||||
- calico-apiserver
|
||||
- calico-system
|
||||
- cattle-alerting
|
||||
- cattle-capi-system
|
||||
- cattle-csp-adapter-system
|
||||
- cattle-elemental-system
|
||||
- cattle-epinio-system
|
||||
- cattle-externalip-system
|
||||
- cattle-fleet-local-system
|
||||
- cattle-fleet-system
|
||||
- cattle-gatekeeper-system
|
||||
- cattle-global-data
|
||||
- cattle-global-nt
|
||||
- cattle-impersonation-system
|
||||
- cattle-istio
|
||||
- cattle-istio-system
|
||||
- cattle-logging
|
||||
- cattle-logging-system
|
||||
- cattle-monitoring-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-prometheus
|
||||
- cattle-provisioning-capi-system
|
||||
- cattle-resources-system
|
||||
- cattle-sriov-system
|
||||
- cattle-system
|
||||
- cattle-turtles-system
|
||||
- cattle-ui-plugin-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cert-manager
|
||||
- cis-operator-system
|
||||
- compliance-operator-system
|
||||
- fleet-default
|
||||
- fleet-local
|
||||
- istio-system
|
||||
- kube-node-lease
|
||||
- kube-public
|
||||
- kube-system
|
||||
- longhorn-system
|
||||
- rancher-alerting-drivers
|
||||
- rancher-compliance-system
|
||||
- security-scan
|
||||
- sr-operator-system
|
||||
- tigera-operator
|
||||
- traefik
|
||||
runtimeClasses: []
|
||||
namespaces: [calico-apiserver,
|
||||
calico-system,
|
||||
cattle-alerting,
|
||||
cattle-csp-adapter-system,
|
||||
cattle-elemental-system,
|
||||
cattle-epinio-system,
|
||||
cattle-externalip-system,
|
||||
cattle-fleet-local-system,
|
||||
cattle-fleet-system,
|
||||
cattle-gatekeeper-system,
|
||||
cattle-global-data,
|
||||
cattle-global-nt,
|
||||
cattle-impersonation-system,
|
||||
cattle-istio,
|
||||
cattle-istio-system,
|
||||
cattle-logging,
|
||||
cattle-logging-system,
|
||||
cattle-monitoring-system,
|
||||
cattle-neuvector-system,
|
||||
cattle-prometheus,
|
||||
cattle-provisioning-capi-system,
|
||||
cattle-resources-system,
|
||||
cattle-sriov-system,
|
||||
cattle-system,
|
||||
cattle-ui-plugin-system,
|
||||
cattle-windows-gmsa-system,
|
||||
cert-manager,
|
||||
cis-operator-system,
|
||||
fleet-default,
|
||||
fleet-local,
|
||||
ingress-nginx,
|
||||
istio-system,
|
||||
kube-node-lease,
|
||||
kube-public,
|
||||
kube-system,
|
||||
longhorn-system,
|
||||
rancher-alerting-drivers,
|
||||
security-scan,
|
||||
sr-operator-system,
|
||||
tigera-operator]
|
||||
usernames: []
|
||||
```
|
||||
|
||||
@@ -12,26 +12,50 @@ plugins:
|
||||
warn-version: latest
|
||||
exemptions:
|
||||
namespaces:
|
||||
- ingress-nginx
|
||||
- kube-system
|
||||
- cattle-system
|
||||
- cattle-epinio-system
|
||||
- cattle-fleet-system
|
||||
- longhorn-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-monitoring-system
|
||||
- rancher-alerting-drivers
|
||||
- cis-operator-system
|
||||
- calico-apiserver
|
||||
- calico-system
|
||||
- cattle-alerting
|
||||
- cattle-capi-system
|
||||
- cattle-csp-adapter-system
|
||||
- cattle-elemental-system
|
||||
- cattle-epinio-system
|
||||
- cattle-externalip-system
|
||||
- cattle-fleet-local-system
|
||||
- cattle-fleet-system
|
||||
- cattle-gatekeeper-system
|
||||
- istio-system
|
||||
- cattle-global-data
|
||||
- cattle-global-nt
|
||||
- cattle-impersonation-system
|
||||
- cattle-istio
|
||||
- cattle-istio-system
|
||||
- cattle-logging
|
||||
- cattle-logging-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cattle-monitoring-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-prometheus
|
||||
- cattle-provisioning-capi-system
|
||||
- cattle-resources-system
|
||||
- cattle-sriov-system
|
||||
- cattle-system
|
||||
- cattle-turtles-system
|
||||
- cattle-ui-plugin-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cert-manager
|
||||
- cis-operator-system
|
||||
- compliance-operator-system
|
||||
- fleet-default
|
||||
- fleet-local
|
||||
- istio-system
|
||||
- kube-node-lease
|
||||
- kube-public
|
||||
- kube-system
|
||||
- longhorn-system
|
||||
- rancher-alerting-drivers
|
||||
- rancher-compliance-system
|
||||
- security-scan
|
||||
- sr-operator-system
|
||||
- tigera-operator
|
||||
- traefik
|
||||
kind: PodSecurityConfiguration
|
||||
name: PodSecurity
|
||||
path: ""
|
||||
path: ""
|
||||
|
||||
@@ -90,7 +90,9 @@ The policies shipped by default in Rancher aim to provide a trade-off between se
|
||||
- `calico-apiserver`
|
||||
- `calico-system`
|
||||
- `cattle-alerting`
|
||||
- `cattle-capi-system`
|
||||
- `cattle-csp-adapter-system`
|
||||
- `cattle-elemental-system`
|
||||
- `cattle-epinio-system`
|
||||
- `cattle-externalip-system`
|
||||
- `cattle-fleet-local-system`
|
||||
@@ -106,23 +108,29 @@ The policies shipped by default in Rancher aim to provide a trade-off between se
|
||||
- `cattle-monitoring-system`
|
||||
- `cattle-neuvector-system`
|
||||
- `cattle-prometheus`
|
||||
- `cattle-provisioning-capi-system`
|
||||
- `cattle-resources-system`
|
||||
- `cattle-sriov-system`
|
||||
- `cattle-system`
|
||||
- `cattle-turtles-system`
|
||||
- `cattle-ui-plugin-system`
|
||||
- `cattle-windows-gmsa-system`
|
||||
- `cert-manager`
|
||||
- `cis-operator-system`
|
||||
- `compliance-operator-system`
|
||||
- `fleet-default`
|
||||
- `fleet-local`
|
||||
- `ingress-nginx`
|
||||
- `istio-system`
|
||||
- `kube-node-lease`
|
||||
- `kube-public`
|
||||
- `kube-system`
|
||||
- `longhorn-system`
|
||||
- `rancher-alerting-drivers`
|
||||
- `rancher-compliance-system`
|
||||
- `security-scan`
|
||||
- `sr-operator-system`
|
||||
- `tigera-operator`
|
||||
- `traefik`
|
||||
|
||||
Rancher、Rancher 拥有的一些 Chart 以及 RKE2 和 K3s 发行版都使用这些命名空间。列出的命名空间的一个子集已经在内置的 Rancher `rancher-restricted` 策略中被豁免,用于下游集群。有关运行 Rancher 所需的所有豁免的完整模板,请参阅此[准入配置示例](../../../reference-guides/rancher-security/psa-restricted-exemptions.md)。
|
||||
|
||||
|
||||
@@ -20,43 +20,51 @@ plugins:
|
||||
warn: "restricted"
|
||||
warn-version: "latest"
|
||||
exemptions:
|
||||
usernames: []
|
||||
namespaces:
|
||||
- calico-apiserver
|
||||
- calico-system
|
||||
- cattle-alerting
|
||||
- cattle-capi-system
|
||||
- cattle-csp-adapter-system
|
||||
- cattle-elemental-system
|
||||
- cattle-epinio-system
|
||||
- cattle-externalip-system
|
||||
- cattle-fleet-local-system
|
||||
- cattle-fleet-system
|
||||
- cattle-gatekeeper-system
|
||||
- cattle-global-data
|
||||
- cattle-global-nt
|
||||
- cattle-impersonation-system
|
||||
- cattle-istio
|
||||
- cattle-istio-system
|
||||
- cattle-logging
|
||||
- cattle-logging-system
|
||||
- cattle-monitoring-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-prometheus
|
||||
- cattle-provisioning-capi-system
|
||||
- cattle-resources-system
|
||||
- cattle-sriov-system
|
||||
- cattle-system
|
||||
- cattle-turtles-system
|
||||
- cattle-ui-plugin-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cert-manager
|
||||
- cis-operator-system
|
||||
- compliance-operator-system
|
||||
- fleet-default
|
||||
- fleet-local
|
||||
- istio-system
|
||||
- kube-node-lease
|
||||
- kube-public
|
||||
- kube-system
|
||||
- longhorn-system
|
||||
- rancher-alerting-drivers
|
||||
- rancher-compliance-system
|
||||
- security-scan
|
||||
- sr-operator-system
|
||||
- tigera-operator
|
||||
- traefik
|
||||
runtimeClasses: []
|
||||
namespaces: [calico-apiserver,
|
||||
calico-system,
|
||||
cattle-alerting,
|
||||
cattle-csp-adapter-system,
|
||||
cattle-elemental-system,
|
||||
cattle-epinio-system,
|
||||
cattle-externalip-system,
|
||||
cattle-fleet-local-system,
|
||||
cattle-fleet-system,
|
||||
cattle-gatekeeper-system,
|
||||
cattle-global-data,
|
||||
cattle-global-nt,
|
||||
cattle-impersonation-system,
|
||||
cattle-istio,
|
||||
cattle-istio-system,
|
||||
cattle-logging,
|
||||
cattle-logging-system,
|
||||
cattle-monitoring-system,
|
||||
cattle-neuvector-system,
|
||||
cattle-prometheus,
|
||||
cattle-resources-system,
|
||||
cattle-sriov-system,
|
||||
cattle-system,
|
||||
cattle-ui-plugin-system,
|
||||
cattle-windows-gmsa-system,
|
||||
cert-manager,
|
||||
cis-operator-system,
|
||||
fleet-default,
|
||||
ingress-nginx,
|
||||
istio-system,
|
||||
kube-node-lease,
|
||||
kube-public,
|
||||
kube-system,
|
||||
longhorn-system,
|
||||
rancher-alerting-drivers,
|
||||
security-scan,
|
||||
tigera-operator]
|
||||
usernames: []
|
||||
```
|
||||
|
||||
@@ -12,26 +12,50 @@ plugins:
|
||||
warn-version: latest
|
||||
exemptions:
|
||||
namespaces:
|
||||
- ingress-nginx
|
||||
- kube-system
|
||||
- cattle-system
|
||||
- cattle-epinio-system
|
||||
- cattle-fleet-system
|
||||
- longhorn-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-monitoring-system
|
||||
- rancher-alerting-drivers
|
||||
- cis-operator-system
|
||||
- calico-apiserver
|
||||
- calico-system
|
||||
- cattle-alerting
|
||||
- cattle-capi-system
|
||||
- cattle-csp-adapter-system
|
||||
- cattle-elemental-system
|
||||
- cattle-epinio-system
|
||||
- cattle-externalip-system
|
||||
- cattle-fleet-local-system
|
||||
- cattle-fleet-system
|
||||
- cattle-gatekeeper-system
|
||||
- istio-system
|
||||
- cattle-global-data
|
||||
- cattle-global-nt
|
||||
- cattle-impersonation-system
|
||||
- cattle-istio
|
||||
- cattle-istio-system
|
||||
- cattle-logging
|
||||
- cattle-logging-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cattle-monitoring-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-prometheus
|
||||
- cattle-provisioning-capi-system
|
||||
- cattle-resources-system
|
||||
- cattle-sriov-system
|
||||
- cattle-system
|
||||
- cattle-turtles-system
|
||||
- cattle-ui-plugin-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cert-manager
|
||||
- cis-operator-system
|
||||
- compliance-operator-system
|
||||
- fleet-default
|
||||
- fleet-local
|
||||
- istio-system
|
||||
- kube-node-lease
|
||||
- kube-public
|
||||
- kube-system
|
||||
- longhorn-system
|
||||
- rancher-alerting-drivers
|
||||
- rancher-compliance-system
|
||||
- security-scan
|
||||
- sr-operator-system
|
||||
- tigera-operator
|
||||
- traefik
|
||||
kind: PodSecurityConfiguration
|
||||
name: PodSecurity
|
||||
path: ""
|
||||
path: ""
|
||||
|
||||
@@ -90,7 +90,9 @@ The policies shipped by default in Rancher aim to provide a trade-off between se
|
||||
- `calico-apiserver`
|
||||
- `calico-system`
|
||||
- `cattle-alerting`
|
||||
- `cattle-capi-system`
|
||||
- `cattle-csp-adapter-system`
|
||||
- `cattle-elemental-system`
|
||||
- `cattle-epinio-system`
|
||||
- `cattle-externalip-system`
|
||||
- `cattle-fleet-local-system`
|
||||
@@ -106,23 +108,29 @@ The policies shipped by default in Rancher aim to provide a trade-off between se
|
||||
- `cattle-monitoring-system`
|
||||
- `cattle-neuvector-system`
|
||||
- `cattle-prometheus`
|
||||
- `cattle-provisioning-capi-system`
|
||||
- `cattle-resources-system`
|
||||
- `cattle-sriov-system`
|
||||
- `cattle-system`
|
||||
- `cattle-turtles-system`
|
||||
- `cattle-ui-plugin-system`
|
||||
- `cattle-windows-gmsa-system`
|
||||
- `cert-manager`
|
||||
- `cis-operator-system`
|
||||
- `compliance-operator-system`
|
||||
- `fleet-default`
|
||||
- `fleet-local`
|
||||
- `ingress-nginx`
|
||||
- `istio-system`
|
||||
- `kube-node-lease`
|
||||
- `kube-public`
|
||||
- `kube-system`
|
||||
- `longhorn-system`
|
||||
- `rancher-alerting-drivers`
|
||||
- `rancher-compliance-system`
|
||||
- `security-scan`
|
||||
- `sr-operator-system`
|
||||
- `tigera-operator`
|
||||
- `traefik`
|
||||
|
||||
Rancher、Rancher 拥有的一些 Chart 以及 RKE2 和 K3s 发行版都使用这些命名空间。列出的命名空间的一个子集已经在内置的 Rancher `rancher-restricted` 策略中被豁免,用于下游集群。有关运行 Rancher 所需的所有豁免的完整模板,请参阅此[准入配置示例](../../../reference-guides/rancher-security/psa-restricted-exemptions.md)。
|
||||
|
||||
|
||||
@@ -20,43 +20,51 @@ plugins:
|
||||
warn: "restricted"
|
||||
warn-version: "latest"
|
||||
exemptions:
|
||||
usernames: []
|
||||
namespaces:
|
||||
- calico-apiserver
|
||||
- calico-system
|
||||
- cattle-alerting
|
||||
- cattle-capi-system
|
||||
- cattle-csp-adapter-system
|
||||
- cattle-elemental-system
|
||||
- cattle-epinio-system
|
||||
- cattle-externalip-system
|
||||
- cattle-fleet-local-system
|
||||
- cattle-fleet-system
|
||||
- cattle-gatekeeper-system
|
||||
- cattle-global-data
|
||||
- cattle-global-nt
|
||||
- cattle-impersonation-system
|
||||
- cattle-istio
|
||||
- cattle-istio-system
|
||||
- cattle-logging
|
||||
- cattle-logging-system
|
||||
- cattle-monitoring-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-prometheus
|
||||
- cattle-provisioning-capi-system
|
||||
- cattle-resources-system
|
||||
- cattle-sriov-system
|
||||
- cattle-system
|
||||
- cattle-turtles-system
|
||||
- cattle-ui-plugin-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cert-manager
|
||||
- cis-operator-system
|
||||
- compliance-operator-system
|
||||
- fleet-default
|
||||
- fleet-local
|
||||
- istio-system
|
||||
- kube-node-lease
|
||||
- kube-public
|
||||
- kube-system
|
||||
- longhorn-system
|
||||
- rancher-alerting-drivers
|
||||
- rancher-compliance-system
|
||||
- security-scan
|
||||
- sr-operator-system
|
||||
- tigera-operator
|
||||
- traefik
|
||||
runtimeClasses: []
|
||||
namespaces: [calico-apiserver,
|
||||
calico-system,
|
||||
cattle-alerting,
|
||||
cattle-csp-adapter-system,
|
||||
cattle-elemental-system,
|
||||
cattle-epinio-system,
|
||||
cattle-externalip-system,
|
||||
cattle-fleet-local-system,
|
||||
cattle-fleet-system,
|
||||
cattle-gatekeeper-system,
|
||||
cattle-global-data,
|
||||
cattle-global-nt,
|
||||
cattle-impersonation-system,
|
||||
cattle-istio,
|
||||
cattle-istio-system,
|
||||
cattle-logging,
|
||||
cattle-logging-system,
|
||||
cattle-monitoring-system,
|
||||
cattle-neuvector-system,
|
||||
cattle-prometheus,
|
||||
cattle-resources-system,
|
||||
cattle-sriov-system,
|
||||
cattle-system,
|
||||
cattle-ui-plugin-system,
|
||||
cattle-windows-gmsa-system,
|
||||
cert-manager,
|
||||
cis-operator-system,
|
||||
fleet-default,
|
||||
ingress-nginx,
|
||||
istio-system,
|
||||
kube-node-lease,
|
||||
kube-public,
|
||||
kube-system,
|
||||
longhorn-system,
|
||||
rancher-alerting-drivers,
|
||||
security-scan,
|
||||
tigera-operator]
|
||||
usernames: []
|
||||
```
|
||||
|
||||
@@ -12,26 +12,50 @@ plugins:
|
||||
warn-version: latest
|
||||
exemptions:
|
||||
namespaces:
|
||||
- ingress-nginx
|
||||
- kube-system
|
||||
- cattle-system
|
||||
- cattle-epinio-system
|
||||
- cattle-fleet-system
|
||||
- longhorn-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-monitoring-system
|
||||
- rancher-alerting-drivers
|
||||
- cis-operator-system
|
||||
- calico-apiserver
|
||||
- calico-system
|
||||
- cattle-alerting
|
||||
- cattle-capi-system
|
||||
- cattle-csp-adapter-system
|
||||
- cattle-elemental-system
|
||||
- cattle-epinio-system
|
||||
- cattle-externalip-system
|
||||
- cattle-fleet-local-system
|
||||
- cattle-fleet-system
|
||||
- cattle-gatekeeper-system
|
||||
- istio-system
|
||||
- cattle-global-data
|
||||
- cattle-global-nt
|
||||
- cattle-impersonation-system
|
||||
- cattle-istio
|
||||
- cattle-istio-system
|
||||
- cattle-logging
|
||||
- cattle-logging-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cattle-monitoring-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-prometheus
|
||||
- cattle-provisioning-capi-system
|
||||
- cattle-resources-system
|
||||
- cattle-sriov-system
|
||||
- cattle-system
|
||||
- cattle-turtles-system
|
||||
- cattle-ui-plugin-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cert-manager
|
||||
- cis-operator-system
|
||||
- compliance-operator-system
|
||||
- fleet-default
|
||||
- fleet-local
|
||||
- istio-system
|
||||
- kube-node-lease
|
||||
- kube-public
|
||||
- kube-system
|
||||
- longhorn-system
|
||||
- rancher-alerting-drivers
|
||||
- rancher-compliance-system
|
||||
- security-scan
|
||||
- sr-operator-system
|
||||
- tigera-operator
|
||||
- traefik
|
||||
kind: PodSecurityConfiguration
|
||||
name: PodSecurity
|
||||
path: ""
|
||||
path: ""
|
||||
|
||||
@@ -90,7 +90,9 @@ The policies shipped by default in Rancher aim to provide a trade-off between se
|
||||
- `calico-apiserver`
|
||||
- `calico-system`
|
||||
- `cattle-alerting`
|
||||
- `cattle-capi-system`
|
||||
- `cattle-csp-adapter-system`
|
||||
- `cattle-elemental-system`
|
||||
- `cattle-epinio-system`
|
||||
- `cattle-externalip-system`
|
||||
- `cattle-fleet-local-system`
|
||||
@@ -106,23 +108,29 @@ The policies shipped by default in Rancher aim to provide a trade-off between se
|
||||
- `cattle-monitoring-system`
|
||||
- `cattle-neuvector-system`
|
||||
- `cattle-prometheus`
|
||||
- `cattle-provisioning-capi-system`
|
||||
- `cattle-resources-system`
|
||||
- `cattle-sriov-system`
|
||||
- `cattle-system`
|
||||
- `cattle-turtles-system`
|
||||
- `cattle-ui-plugin-system`
|
||||
- `cattle-windows-gmsa-system`
|
||||
- `cert-manager`
|
||||
- `cis-operator-system`
|
||||
- `compliance-operator-system`
|
||||
- `fleet-default`
|
||||
- `fleet-local`
|
||||
- `ingress-nginx`
|
||||
- `istio-system`
|
||||
- `kube-node-lease`
|
||||
- `kube-public`
|
||||
- `kube-system`
|
||||
- `longhorn-system`
|
||||
- `rancher-alerting-drivers`
|
||||
- `rancher-compliance-system`
|
||||
- `security-scan`
|
||||
- `sr-operator-system`
|
||||
- `tigera-operator`
|
||||
- `traefik`
|
||||
|
||||
Rancher、Rancher 拥有的一些 Chart 以及 RKE2 和 K3s 发行版都使用这些命名空间。列出的命名空间的一个子集已经在内置的 Rancher `rancher-restricted` 策略中被豁免,用于下游集群。有关运行 Rancher 所需的所有豁免的完整模板,请参阅此[准入配置示例](../../../reference-guides/rancher-security/psa-restricted-exemptions.md)。
|
||||
|
||||
|
||||
@@ -20,43 +20,51 @@ plugins:
|
||||
warn: "restricted"
|
||||
warn-version: "latest"
|
||||
exemptions:
|
||||
usernames: []
|
||||
namespaces:
|
||||
- calico-apiserver
|
||||
- calico-system
|
||||
- cattle-alerting
|
||||
- cattle-capi-system
|
||||
- cattle-csp-adapter-system
|
||||
- cattle-elemental-system
|
||||
- cattle-epinio-system
|
||||
- cattle-externalip-system
|
||||
- cattle-fleet-local-system
|
||||
- cattle-fleet-system
|
||||
- cattle-gatekeeper-system
|
||||
- cattle-global-data
|
||||
- cattle-global-nt
|
||||
- cattle-impersonation-system
|
||||
- cattle-istio
|
||||
- cattle-istio-system
|
||||
- cattle-logging
|
||||
- cattle-logging-system
|
||||
- cattle-monitoring-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-prometheus
|
||||
- cattle-provisioning-capi-system
|
||||
- cattle-resources-system
|
||||
- cattle-sriov-system
|
||||
- cattle-system
|
||||
- cattle-turtles-system
|
||||
- cattle-ui-plugin-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cert-manager
|
||||
- cis-operator-system
|
||||
- compliance-operator-system
|
||||
- fleet-default
|
||||
- fleet-local
|
||||
- istio-system
|
||||
- kube-node-lease
|
||||
- kube-public
|
||||
- kube-system
|
||||
- longhorn-system
|
||||
- rancher-alerting-drivers
|
||||
- rancher-compliance-system
|
||||
- security-scan
|
||||
- sr-operator-system
|
||||
- tigera-operator
|
||||
- traefik
|
||||
runtimeClasses: []
|
||||
namespaces: [calico-apiserver,
|
||||
calico-system,
|
||||
cattle-alerting,
|
||||
cattle-csp-adapter-system,
|
||||
cattle-elemental-system,
|
||||
cattle-epinio-system,
|
||||
cattle-externalip-system,
|
||||
cattle-fleet-local-system,
|
||||
cattle-fleet-system,
|
||||
cattle-gatekeeper-system,
|
||||
cattle-global-data,
|
||||
cattle-global-nt,
|
||||
cattle-impersonation-system,
|
||||
cattle-istio,
|
||||
cattle-istio-system,
|
||||
cattle-logging,
|
||||
cattle-logging-system,
|
||||
cattle-monitoring-system,
|
||||
cattle-neuvector-system,
|
||||
cattle-prometheus,
|
||||
cattle-resources-system,
|
||||
cattle-sriov-system,
|
||||
cattle-system,
|
||||
cattle-ui-plugin-system,
|
||||
cattle-windows-gmsa-system,
|
||||
cert-manager,
|
||||
cis-operator-system,
|
||||
fleet-default,
|
||||
ingress-nginx,
|
||||
istio-system,
|
||||
kube-node-lease,
|
||||
kube-public,
|
||||
kube-system,
|
||||
longhorn-system,
|
||||
rancher-alerting-drivers,
|
||||
security-scan,
|
||||
tigera-operator]
|
||||
usernames: []
|
||||
```
|
||||
|
||||
@@ -12,28 +12,50 @@ plugins:
|
||||
warn-version: latest
|
||||
exemptions:
|
||||
namespaces:
|
||||
- ingress-nginx
|
||||
- kube-system
|
||||
- cattle-system
|
||||
- cattle-epinio-system
|
||||
- cattle-fleet-system
|
||||
- cattle-fleet-local-system
|
||||
- longhorn-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-monitoring-system
|
||||
- rancher-alerting-drivers
|
||||
- cis-operator-system
|
||||
- calico-apiserver
|
||||
- calico-system
|
||||
- cattle-alerting
|
||||
- cattle-capi-system
|
||||
- cattle-csp-adapter-system
|
||||
- cattle-elemental-system
|
||||
- cattle-epinio-system
|
||||
- cattle-externalip-system
|
||||
- cattle-fleet-local-system
|
||||
- cattle-fleet-system
|
||||
- cattle-gatekeeper-system
|
||||
- istio-system
|
||||
- cattle-global-data
|
||||
- cattle-global-nt
|
||||
- cattle-impersonation-system
|
||||
- cattle-istio
|
||||
- cattle-istio-system
|
||||
- cattle-logging
|
||||
- cattle-logging-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cattle-sriov-system
|
||||
- cattle-ui-plugin-system
|
||||
- tigera-operator
|
||||
- cattle-monitoring-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-prometheus
|
||||
- cattle-provisioning-capi-system
|
||||
- cattle-resources-system
|
||||
- cattle-sriov-system
|
||||
- cattle-system
|
||||
- cattle-turtles-system
|
||||
- cattle-ui-plugin-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cert-manager
|
||||
- cis-operator-system
|
||||
- compliance-operator-system
|
||||
- fleet-default
|
||||
- fleet-local
|
||||
- istio-system
|
||||
- kube-node-lease
|
||||
- kube-public
|
||||
- kube-system
|
||||
- longhorn-system
|
||||
- rancher-alerting-drivers
|
||||
- rancher-compliance-system
|
||||
- security-scan
|
||||
- sr-operator-system
|
||||
- tigera-operator
|
||||
- traefik
|
||||
kind: PodSecurityConfiguration
|
||||
name: PodSecurity
|
||||
path: ""
|
||||
|
||||
@@ -91,6 +91,7 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit
|
||||
- `calico-apiserver`
|
||||
- `calico-system`
|
||||
- `cattle-alerting`
|
||||
- `cattle-capi-system`
|
||||
- `cattle-csp-adapter-system`
|
||||
- `cattle-elemental-system`
|
||||
- `cattle-epinio-system`
|
||||
@@ -112,22 +113,25 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit
|
||||
- `cattle-resources-system`
|
||||
- `cattle-sriov-system`
|
||||
- `cattle-system`
|
||||
- `cattle-turtles-system`
|
||||
- `cattle-ui-plugin-system`
|
||||
- `cattle-windows-gmsa-system`
|
||||
- `cert-manager`
|
||||
- `cis-operator-system`
|
||||
- `compliance-operator-system`
|
||||
- `fleet-default`
|
||||
- `fleet-local`
|
||||
- `ingress-nginx`
|
||||
- `istio-system`
|
||||
- `kube-node-lease`
|
||||
- `kube-public`
|
||||
- `kube-system`
|
||||
- `longhorn-system`
|
||||
- `rancher-alerting-drivers`
|
||||
- `rancher-compliance-system`
|
||||
- `security-scan`
|
||||
- `sr-operator-system`
|
||||
- `tigera-operator`
|
||||
- `traefik`
|
||||
|
||||
Rancher, some Rancher owned charts, and RKE2 and K3s distributions all use these namespaces. A subset of the listed namespaces are already exempt in the built-in Rancher `rancher-restricted` policy, for use in downstream clusters. For a complete template which has all the exemptions you need to run Rancher, please refer to this [sample Admission Configuration](../../../reference-guides/rancher-security/psa-restricted-exemptions.md).
|
||||
|
||||
|
||||
@@ -24,46 +24,51 @@ plugins:
|
||||
warn: "restricted"
|
||||
warn-version: "latest"
|
||||
exemptions:
|
||||
usernames: []
|
||||
namespaces:
|
||||
- calico-apiserver
|
||||
- calico-system
|
||||
- cattle-alerting
|
||||
- cattle-capi-system
|
||||
- cattle-csp-adapter-system
|
||||
- cattle-elemental-system
|
||||
- cattle-epinio-system
|
||||
- cattle-externalip-system
|
||||
- cattle-fleet-local-system
|
||||
- cattle-fleet-system
|
||||
- cattle-gatekeeper-system
|
||||
- cattle-global-data
|
||||
- cattle-global-nt
|
||||
- cattle-impersonation-system
|
||||
- cattle-istio
|
||||
- cattle-istio-system
|
||||
- cattle-logging
|
||||
- cattle-logging-system
|
||||
- cattle-monitoring-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-prometheus
|
||||
- cattle-provisioning-capi-system
|
||||
- cattle-resources-system
|
||||
- cattle-sriov-system
|
||||
- cattle-system
|
||||
- cattle-turtles-system
|
||||
- cattle-ui-plugin-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cert-manager
|
||||
- cis-operator-system
|
||||
- compliance-operator-system
|
||||
- fleet-default
|
||||
- fleet-local
|
||||
- istio-system
|
||||
- kube-node-lease
|
||||
- kube-public
|
||||
- kube-system
|
||||
- longhorn-system
|
||||
- rancher-alerting-drivers
|
||||
- rancher-compliance-system
|
||||
- security-scan
|
||||
- sr-operator-system
|
||||
- tigera-operator
|
||||
- traefik
|
||||
runtimeClasses: []
|
||||
namespaces: [calico-apiserver,
|
||||
calico-system,
|
||||
cattle-alerting,
|
||||
cattle-csp-adapter-system,
|
||||
cattle-elemental-system,
|
||||
cattle-epinio-system,
|
||||
cattle-externalip-system,
|
||||
cattle-fleet-local-system,
|
||||
cattle-fleet-system,
|
||||
cattle-gatekeeper-system,
|
||||
cattle-global-data,
|
||||
cattle-global-nt,
|
||||
cattle-impersonation-system,
|
||||
cattle-istio,
|
||||
cattle-istio-system,
|
||||
cattle-logging,
|
||||
cattle-logging-system,
|
||||
cattle-monitoring-system,
|
||||
cattle-neuvector-system,
|
||||
cattle-prometheus,
|
||||
cattle-provisioning-capi-system,
|
||||
cattle-resources-system,
|
||||
cattle-sriov-system,
|
||||
cattle-system,
|
||||
cattle-ui-plugin-system,
|
||||
cattle-windows-gmsa-system,
|
||||
cert-manager,
|
||||
cis-operator-system,
|
||||
fleet-default,
|
||||
fleet-local,
|
||||
ingress-nginx,
|
||||
istio-system,
|
||||
kube-node-lease,
|
||||
kube-public,
|
||||
kube-system,
|
||||
longhorn-system,
|
||||
rancher-alerting-drivers,
|
||||
security-scan,
|
||||
sr-operator-system,
|
||||
tigera-operator]
|
||||
usernames: []
|
||||
```
|
||||
|
||||
@@ -12,28 +12,50 @@ plugins:
|
||||
warn-version: latest
|
||||
exemptions:
|
||||
namespaces:
|
||||
- ingress-nginx
|
||||
- kube-system
|
||||
- cattle-system
|
||||
- cattle-epinio-system
|
||||
- cattle-fleet-system
|
||||
- cattle-fleet-local-system
|
||||
- longhorn-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-monitoring-system
|
||||
- rancher-alerting-drivers
|
||||
- cis-operator-system
|
||||
- calico-apiserver
|
||||
- calico-system
|
||||
- cattle-alerting
|
||||
- cattle-capi-system
|
||||
- cattle-csp-adapter-system
|
||||
- cattle-elemental-system
|
||||
- cattle-epinio-system
|
||||
- cattle-externalip-system
|
||||
- cattle-fleet-local-system
|
||||
- cattle-fleet-system
|
||||
- cattle-gatekeeper-system
|
||||
- istio-system
|
||||
- cattle-global-data
|
||||
- cattle-global-nt
|
||||
- cattle-impersonation-system
|
||||
- cattle-istio
|
||||
- cattle-istio-system
|
||||
- cattle-logging
|
||||
- cattle-logging-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cattle-sriov-system
|
||||
- cattle-ui-plugin-system
|
||||
- tigera-operator
|
||||
- cattle-monitoring-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-prometheus
|
||||
- cattle-provisioning-capi-system
|
||||
- cattle-resources-system
|
||||
- cattle-sriov-system
|
||||
- cattle-system
|
||||
- cattle-turtles-system
|
||||
- cattle-ui-plugin-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cert-manager
|
||||
- cis-operator-system
|
||||
- compliance-operator-system
|
||||
- fleet-default
|
||||
- fleet-local
|
||||
- istio-system
|
||||
- kube-node-lease
|
||||
- kube-public
|
||||
- kube-system
|
||||
- longhorn-system
|
||||
- rancher-alerting-drivers
|
||||
- rancher-compliance-system
|
||||
- security-scan
|
||||
- sr-operator-system
|
||||
- tigera-operator
|
||||
- traefik
|
||||
kind: PodSecurityConfiguration
|
||||
name: PodSecurity
|
||||
path: ""
|
||||
|
||||
@@ -91,6 +91,7 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit
|
||||
- `calico-apiserver`
|
||||
- `calico-system`
|
||||
- `cattle-alerting`
|
||||
- `cattle-capi-system`
|
||||
- `cattle-csp-adapter-system`
|
||||
- `cattle-elemental-system`
|
||||
- `cattle-epinio-system`
|
||||
@@ -112,22 +113,25 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit
|
||||
- `cattle-resources-system`
|
||||
- `cattle-sriov-system`
|
||||
- `cattle-system`
|
||||
- `cattle-turtles-system`
|
||||
- `cattle-ui-plugin-system`
|
||||
- `cattle-windows-gmsa-system`
|
||||
- `cert-manager`
|
||||
- `cis-operator-system`
|
||||
- `compliance-operator-system`
|
||||
- `fleet-default`
|
||||
- `fleet-local`
|
||||
- `ingress-nginx`
|
||||
- `istio-system`
|
||||
- `kube-node-lease`
|
||||
- `kube-public`
|
||||
- `kube-system`
|
||||
- `longhorn-system`
|
||||
- `rancher-alerting-drivers`
|
||||
- `rancher-compliance-system`
|
||||
- `security-scan`
|
||||
- `sr-operator-system`
|
||||
- `tigera-operator`
|
||||
- `traefik`
|
||||
|
||||
Rancher, some Rancher owned charts, and RKE2 and K3s distributions all use these namespaces. A subset of the listed namespaces are already exempt in the built-in Rancher `rancher-restricted` policy, for use in downstream clusters. For a complete template which has all the exemptions you need to run Rancher, please refer to this [sample Admission Configuration](../../../reference-guides/rancher-security/psa-restricted-exemptions.md).
|
||||
|
||||
|
||||
@@ -24,46 +24,51 @@ plugins:
|
||||
warn: "restricted"
|
||||
warn-version: "latest"
|
||||
exemptions:
|
||||
usernames: []
|
||||
namespaces:
|
||||
- calico-apiserver
|
||||
- calico-system
|
||||
- cattle-alerting
|
||||
- cattle-capi-system
|
||||
- cattle-csp-adapter-system
|
||||
- cattle-elemental-system
|
||||
- cattle-epinio-system
|
||||
- cattle-externalip-system
|
||||
- cattle-fleet-local-system
|
||||
- cattle-fleet-system
|
||||
- cattle-gatekeeper-system
|
||||
- cattle-global-data
|
||||
- cattle-global-nt
|
||||
- cattle-impersonation-system
|
||||
- cattle-istio
|
||||
- cattle-istio-system
|
||||
- cattle-logging
|
||||
- cattle-logging-system
|
||||
- cattle-monitoring-system
|
||||
- cattle-neuvector-system
|
||||
- cattle-prometheus
|
||||
- cattle-provisioning-capi-system
|
||||
- cattle-resources-system
|
||||
- cattle-sriov-system
|
||||
- cattle-system
|
||||
- cattle-turtles-system
|
||||
- cattle-ui-plugin-system
|
||||
- cattle-windows-gmsa-system
|
||||
- cert-manager
|
||||
- cis-operator-system
|
||||
- compliance-operator-system
|
||||
- fleet-default
|
||||
- fleet-local
|
||||
- istio-system
|
||||
- kube-node-lease
|
||||
- kube-public
|
||||
- kube-system
|
||||
- longhorn-system
|
||||
- rancher-alerting-drivers
|
||||
- rancher-compliance-system
|
||||
- security-scan
|
||||
- sr-operator-system
|
||||
- tigera-operator
|
||||
- traefik
|
||||
runtimeClasses: []
|
||||
namespaces: [calico-apiserver,
|
||||
calico-system,
|
||||
cattle-alerting,
|
||||
cattle-csp-adapter-system,
|
||||
cattle-elemental-system,
|
||||
cattle-epinio-system,
|
||||
cattle-externalip-system,
|
||||
cattle-fleet-local-system,
|
||||
cattle-fleet-system,
|
||||
cattle-gatekeeper-system,
|
||||
cattle-global-data,
|
||||
cattle-global-nt,
|
||||
cattle-impersonation-system,
|
||||
cattle-istio,
|
||||
cattle-istio-system,
|
||||
cattle-logging,
|
||||
cattle-logging-system,
|
||||
cattle-monitoring-system,
|
||||
cattle-neuvector-system,
|
||||
cattle-prometheus,
|
||||
cattle-provisioning-capi-system,
|
||||
cattle-resources-system,
|
||||
cattle-sriov-system,
|
||||
cattle-system,
|
||||
cattle-ui-plugin-system,
|
||||
cattle-windows-gmsa-system,
|
||||
cert-manager,
|
||||
cis-operator-system,
|
||||
fleet-default,
|
||||
fleet-local,
|
||||
ingress-nginx,
|
||||
istio-system,
|
||||
kube-node-lease,
|
||||
kube-public,
|
||||
kube-system,
|
||||
longhorn-system,
|
||||
rancher-alerting-drivers,
|
||||
security-scan,
|
||||
sr-operator-system,
|
||||
tigera-operator]
|
||||
usernames: []
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user