diff --git a/docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index 361adde18a6..0b0fb33c74d 100644 --- a/docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -12,28 +12,50 @@ plugins: warn-version: latest exemptions: namespaces: - - ingress-nginx - - kube-system - - cattle-system - - cattle-epinio-system - - cattle-fleet-system - - cattle-fleet-local-system - - longhorn-system - - cattle-neuvector-system - - cattle-monitoring-system - - rancher-alerting-drivers - - cis-operator-system + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system - cattle-gatekeeper-system - - istio-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio - cattle-istio-system + - cattle-logging - cattle-logging-system - - cattle-windows-gmsa-system - - cattle-sriov-system - - cattle-ui-plugin-system - - tigera-operator + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator + - traefik kind: PodSecurityConfiguration name: PodSecurity path: "" diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index e924a4cfffa..d4a4ed070bd 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -91,6 +91,7 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `calico-apiserver` - `calico-system` - `cattle-alerting` +- `cattle-capi-system` - `cattle-csp-adapter-system` - `cattle-elemental-system` - `cattle-epinio-system` @@ -112,22 +113,25 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `cattle-resources-system` - `cattle-sriov-system` - `cattle-system` +- `cattle-turtles-system` - `cattle-ui-plugin-system` - `cattle-windows-gmsa-system` - `cert-manager` - `cis-operator-system` +- `compliance-operator-system` - `fleet-default` - `fleet-local` -- `ingress-nginx` - `istio-system` - `kube-node-lease` - `kube-public` - `kube-system` - `longhorn-system` - `rancher-alerting-drivers` +- `rancher-compliance-system` - `security-scan` - `sr-operator-system` - `tigera-operator` +- `traefik` Rancher, some Rancher owned charts, and RKE2 and K3s distributions all use these namespaces. A subset of the listed namespaces are already exempt in the built-in Rancher `rancher-restricted` policy, for use in downstream clusters. For a complete template which has all the exemptions you need to run Rancher, please refer to this [sample Admission Configuration](../../../reference-guides/rancher-security/psa-restricted-exemptions.md). diff --git a/docs/reference-guides/rancher-security/psa-restricted-exemptions.md b/docs/reference-guides/rancher-security/psa-restricted-exemptions.md index 09afca597e0..c404dc04bc2 100644 --- a/docs/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/docs/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -24,46 +24,51 @@ plugins: warn: "restricted" warn-version: "latest" exemptions: - usernames: [] + namespaces: + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system + - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system + - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system + - cattle-gatekeeper-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio + - cattle-istio-system + - cattle-logging + - cattle-logging-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator + - traefik runtimeClasses: [] - namespaces: [calico-apiserver, - calico-system, - cattle-alerting, - cattle-csp-adapter-system, - cattle-elemental-system, - cattle-epinio-system, - cattle-externalip-system, - cattle-fleet-local-system, - cattle-fleet-system, - cattle-gatekeeper-system, - cattle-global-data, - cattle-global-nt, - cattle-impersonation-system, - cattle-istio, - cattle-istio-system, - cattle-logging, - cattle-logging-system, - cattle-monitoring-system, - cattle-neuvector-system, - cattle-prometheus, - cattle-provisioning-capi-system, - cattle-resources-system, - cattle-sriov-system, - cattle-system, - cattle-ui-plugin-system, - cattle-windows-gmsa-system, - cert-manager, - cis-operator-system, - fleet-default, - fleet-local, - ingress-nginx, - istio-system, - kube-node-lease, - kube-public, - kube-system, - longhorn-system, - rancher-alerting-drivers, - security-scan, - sr-operator-system, - tigera-operator] + usernames: [] ``` diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/i18n/zh/docusaurus-plugin-content-docs/current/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index ae248cc9b7c..0b0fb33c74d 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/i18n/zh/docusaurus-plugin-content-docs/current/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -12,26 +12,50 @@ plugins: warn-version: latest exemptions: namespaces: - - ingress-nginx - - kube-system - - cattle-system - - cattle-epinio-system - - cattle-fleet-system - - longhorn-system - - cattle-neuvector-system - - cattle-monitoring-system - - rancher-alerting-drivers - - cis-operator-system + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system - cattle-gatekeeper-system - - istio-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio - cattle-istio-system + - cattle-logging - cattle-logging-system - - cattle-windows-gmsa-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system - cattle-sriov-system + - cattle-system + - cattle-turtles-system - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system - tigera-operator + - traefik kind: PodSecurityConfiguration name: PodSecurity - path: "" \ No newline at end of file + path: "" diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 22d7033980d..8f3969f36ad 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -90,7 +90,9 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `calico-apiserver` - `calico-system` - `cattle-alerting` +- `cattle-capi-system` - `cattle-csp-adapter-system` +- `cattle-elemental-system` - `cattle-epinio-system` - `cattle-externalip-system` - `cattle-fleet-local-system` @@ -106,23 +108,29 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `cattle-monitoring-system` - `cattle-neuvector-system` - `cattle-prometheus` +- `cattle-provisioning-capi-system` +- `cattle-resources-system` - `cattle-sriov-system` - `cattle-system` +- `cattle-turtles-system` - `cattle-ui-plugin-system` - `cattle-windows-gmsa-system` - `cert-manager` - `cis-operator-system` +- `compliance-operator-system` - `fleet-default` - `fleet-local` -- `ingress-nginx` - `istio-system` - `kube-node-lease` - `kube-public` - `kube-system` - `longhorn-system` - `rancher-alerting-drivers` +- `rancher-compliance-system` - `security-scan` +- `sr-operator-system` - `tigera-operator` +- `traefik` Rancher、Rancher 拥有的一些 Chart 以及 RKE2 和 K3s 发行版都使用这些命名空间。列出的命名空间的一个子集已经在内置的 Rancher `rancher-restricted` 策略中被豁免,用于下游集群。有关运行 Rancher 所需的所有豁免的完整模板,请参阅此[准入配置示例](../../../reference-guides/rancher-security/psa-restricted-exemptions.md)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-security/psa-restricted-exemptions.md b/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-security/psa-restricted-exemptions.md index d623ef71dfb..05462e2c546 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -20,43 +20,51 @@ plugins: warn: "restricted" warn-version: "latest" exemptions: - usernames: [] + namespaces: + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system + - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system + - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system + - cattle-gatekeeper-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio + - cattle-istio-system + - cattle-logging + - cattle-logging-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator + - traefik runtimeClasses: [] - namespaces: [calico-apiserver, - calico-system, - cattle-alerting, - cattle-csp-adapter-system, - cattle-elemental-system, - cattle-epinio-system, - cattle-externalip-system, - cattle-fleet-local-system, - cattle-fleet-system, - cattle-gatekeeper-system, - cattle-global-data, - cattle-global-nt, - cattle-impersonation-system, - cattle-istio, - cattle-istio-system, - cattle-logging, - cattle-logging-system, - cattle-monitoring-system, - cattle-neuvector-system, - cattle-prometheus, - cattle-resources-system, - cattle-sriov-system, - cattle-system, - cattle-ui-plugin-system, - cattle-windows-gmsa-system, - cert-manager, - cis-operator-system, - fleet-default, - ingress-nginx, - istio-system, - kube-node-lease, - kube-public, - kube-system, - longhorn-system, - rancher-alerting-drivers, - security-scan, - tigera-operator] + usernames: [] ``` diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index ae248cc9b7c..0b0fb33c74d 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -12,26 +12,50 @@ plugins: warn-version: latest exemptions: namespaces: - - ingress-nginx - - kube-system - - cattle-system - - cattle-epinio-system - - cattle-fleet-system - - longhorn-system - - cattle-neuvector-system - - cattle-monitoring-system - - rancher-alerting-drivers - - cis-operator-system + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system - cattle-gatekeeper-system - - istio-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio - cattle-istio-system + - cattle-logging - cattle-logging-system - - cattle-windows-gmsa-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system - cattle-sriov-system + - cattle-system + - cattle-turtles-system - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system - tigera-operator + - traefik kind: PodSecurityConfiguration name: PodSecurity - path: "" \ No newline at end of file + path: "" diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 22d7033980d..8f3969f36ad 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -90,7 +90,9 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `calico-apiserver` - `calico-system` - `cattle-alerting` +- `cattle-capi-system` - `cattle-csp-adapter-system` +- `cattle-elemental-system` - `cattle-epinio-system` - `cattle-externalip-system` - `cattle-fleet-local-system` @@ -106,23 +108,29 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `cattle-monitoring-system` - `cattle-neuvector-system` - `cattle-prometheus` +- `cattle-provisioning-capi-system` +- `cattle-resources-system` - `cattle-sriov-system` - `cattle-system` +- `cattle-turtles-system` - `cattle-ui-plugin-system` - `cattle-windows-gmsa-system` - `cert-manager` - `cis-operator-system` +- `compliance-operator-system` - `fleet-default` - `fleet-local` -- `ingress-nginx` - `istio-system` - `kube-node-lease` - `kube-public` - `kube-system` - `longhorn-system` - `rancher-alerting-drivers` +- `rancher-compliance-system` - `security-scan` +- `sr-operator-system` - `tigera-operator` +- `traefik` Rancher、Rancher 拥有的一些 Chart 以及 RKE2 和 K3s 发行版都使用这些命名空间。列出的命名空间的一个子集已经在内置的 Rancher `rancher-restricted` 策略中被豁免,用于下游集群。有关运行 Rancher 所需的所有豁免的完整模板,请参阅此[准入配置示例](../../../reference-guides/rancher-security/psa-restricted-exemptions.md)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md index d623ef71dfb..05462e2c546 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -20,43 +20,51 @@ plugins: warn: "restricted" warn-version: "latest" exemptions: - usernames: [] + namespaces: + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system + - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system + - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system + - cattle-gatekeeper-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio + - cattle-istio-system + - cattle-logging + - cattle-logging-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator + - traefik runtimeClasses: [] - namespaces: [calico-apiserver, - calico-system, - cattle-alerting, - cattle-csp-adapter-system, - cattle-elemental-system, - cattle-epinio-system, - cattle-externalip-system, - cattle-fleet-local-system, - cattle-fleet-system, - cattle-gatekeeper-system, - cattle-global-data, - cattle-global-nt, - cattle-impersonation-system, - cattle-istio, - cattle-istio-system, - cattle-logging, - cattle-logging-system, - cattle-monitoring-system, - cattle-neuvector-system, - cattle-prometheus, - cattle-resources-system, - cattle-sriov-system, - cattle-system, - cattle-ui-plugin-system, - cattle-windows-gmsa-system, - cert-manager, - cis-operator-system, - fleet-default, - ingress-nginx, - istio-system, - kube-node-lease, - kube-public, - kube-system, - longhorn-system, - rancher-alerting-drivers, - security-scan, - tigera-operator] + usernames: [] ``` diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index ae248cc9b7c..0b0fb33c74d 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -12,26 +12,50 @@ plugins: warn-version: latest exemptions: namespaces: - - ingress-nginx - - kube-system - - cattle-system - - cattle-epinio-system - - cattle-fleet-system - - longhorn-system - - cattle-neuvector-system - - cattle-monitoring-system - - rancher-alerting-drivers - - cis-operator-system + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system - cattle-gatekeeper-system - - istio-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio - cattle-istio-system + - cattle-logging - cattle-logging-system - - cattle-windows-gmsa-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system - cattle-sriov-system + - cattle-system + - cattle-turtles-system - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system - tigera-operator + - traefik kind: PodSecurityConfiguration name: PodSecurity - path: "" \ No newline at end of file + path: "" diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 22d7033980d..8f3969f36ad 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -90,7 +90,9 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `calico-apiserver` - `calico-system` - `cattle-alerting` +- `cattle-capi-system` - `cattle-csp-adapter-system` +- `cattle-elemental-system` - `cattle-epinio-system` - `cattle-externalip-system` - `cattle-fleet-local-system` @@ -106,23 +108,29 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `cattle-monitoring-system` - `cattle-neuvector-system` - `cattle-prometheus` +- `cattle-provisioning-capi-system` +- `cattle-resources-system` - `cattle-sriov-system` - `cattle-system` +- `cattle-turtles-system` - `cattle-ui-plugin-system` - `cattle-windows-gmsa-system` - `cert-manager` - `cis-operator-system` +- `compliance-operator-system` - `fleet-default` - `fleet-local` -- `ingress-nginx` - `istio-system` - `kube-node-lease` - `kube-public` - `kube-system` - `longhorn-system` - `rancher-alerting-drivers` +- `rancher-compliance-system` - `security-scan` +- `sr-operator-system` - `tigera-operator` +- `traefik` Rancher、Rancher 拥有的一些 Chart 以及 RKE2 和 K3s 发行版都使用这些命名空间。列出的命名空间的一个子集已经在内置的 Rancher `rancher-restricted` 策略中被豁免,用于下游集群。有关运行 Rancher 所需的所有豁免的完整模板,请参阅此[准入配置示例](../../../reference-guides/rancher-security/psa-restricted-exemptions.md)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md index d623ef71dfb..05462e2c546 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -20,43 +20,51 @@ plugins: warn: "restricted" warn-version: "latest" exemptions: - usernames: [] + namespaces: + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system + - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system + - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system + - cattle-gatekeeper-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio + - cattle-istio-system + - cattle-logging + - cattle-logging-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator + - traefik runtimeClasses: [] - namespaces: [calico-apiserver, - calico-system, - cattle-alerting, - cattle-csp-adapter-system, - cattle-elemental-system, - cattle-epinio-system, - cattle-externalip-system, - cattle-fleet-local-system, - cattle-fleet-system, - cattle-gatekeeper-system, - cattle-global-data, - cattle-global-nt, - cattle-impersonation-system, - cattle-istio, - cattle-istio-system, - cattle-logging, - cattle-logging-system, - cattle-monitoring-system, - cattle-neuvector-system, - cattle-prometheus, - cattle-resources-system, - cattle-sriov-system, - cattle-system, - cattle-ui-plugin-system, - cattle-windows-gmsa-system, - cert-manager, - cis-operator-system, - fleet-default, - ingress-nginx, - istio-system, - kube-node-lease, - kube-public, - kube-system, - longhorn-system, - rancher-alerting-drivers, - security-scan, - tigera-operator] + usernames: [] ``` diff --git a/versioned_docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/versioned_docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index 361adde18a6..0b0fb33c74d 100644 --- a/versioned_docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/versioned_docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -12,28 +12,50 @@ plugins: warn-version: latest exemptions: namespaces: - - ingress-nginx - - kube-system - - cattle-system - - cattle-epinio-system - - cattle-fleet-system - - cattle-fleet-local-system - - longhorn-system - - cattle-neuvector-system - - cattle-monitoring-system - - rancher-alerting-drivers - - cis-operator-system + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system - cattle-gatekeeper-system - - istio-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio - cattle-istio-system + - cattle-logging - cattle-logging-system - - cattle-windows-gmsa-system - - cattle-sriov-system - - cattle-ui-plugin-system - - tigera-operator + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator + - traefik kind: PodSecurityConfiguration name: PodSecurity path: "" diff --git a/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index e924a4cfffa..d4a4ed070bd 100644 --- a/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -91,6 +91,7 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `calico-apiserver` - `calico-system` - `cattle-alerting` +- `cattle-capi-system` - `cattle-csp-adapter-system` - `cattle-elemental-system` - `cattle-epinio-system` @@ -112,22 +113,25 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `cattle-resources-system` - `cattle-sriov-system` - `cattle-system` +- `cattle-turtles-system` - `cattle-ui-plugin-system` - `cattle-windows-gmsa-system` - `cert-manager` - `cis-operator-system` +- `compliance-operator-system` - `fleet-default` - `fleet-local` -- `ingress-nginx` - `istio-system` - `kube-node-lease` - `kube-public` - `kube-system` - `longhorn-system` - `rancher-alerting-drivers` +- `rancher-compliance-system` - `security-scan` - `sr-operator-system` - `tigera-operator` +- `traefik` Rancher, some Rancher owned charts, and RKE2 and K3s distributions all use these namespaces. A subset of the listed namespaces are already exempt in the built-in Rancher `rancher-restricted` policy, for use in downstream clusters. For a complete template which has all the exemptions you need to run Rancher, please refer to this [sample Admission Configuration](../../../reference-guides/rancher-security/psa-restricted-exemptions.md). diff --git a/versioned_docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md b/versioned_docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md index 09afca597e0..c404dc04bc2 100644 --- a/versioned_docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/versioned_docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -24,46 +24,51 @@ plugins: warn: "restricted" warn-version: "latest" exemptions: - usernames: [] + namespaces: + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system + - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system + - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system + - cattle-gatekeeper-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio + - cattle-istio-system + - cattle-logging + - cattle-logging-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator + - traefik runtimeClasses: [] - namespaces: [calico-apiserver, - calico-system, - cattle-alerting, - cattle-csp-adapter-system, - cattle-elemental-system, - cattle-epinio-system, - cattle-externalip-system, - cattle-fleet-local-system, - cattle-fleet-system, - cattle-gatekeeper-system, - cattle-global-data, - cattle-global-nt, - cattle-impersonation-system, - cattle-istio, - cattle-istio-system, - cattle-logging, - cattle-logging-system, - cattle-monitoring-system, - cattle-neuvector-system, - cattle-prometheus, - cattle-provisioning-capi-system, - cattle-resources-system, - cattle-sriov-system, - cattle-system, - cattle-ui-plugin-system, - cattle-windows-gmsa-system, - cert-manager, - cis-operator-system, - fleet-default, - fleet-local, - ingress-nginx, - istio-system, - kube-node-lease, - kube-public, - kube-system, - longhorn-system, - rancher-alerting-drivers, - security-scan, - sr-operator-system, - tigera-operator] + usernames: [] ``` diff --git a/versioned_docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/versioned_docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index 361adde18a6..0b0fb33c74d 100644 --- a/versioned_docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/versioned_docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -12,28 +12,50 @@ plugins: warn-version: latest exemptions: namespaces: - - ingress-nginx - - kube-system - - cattle-system - - cattle-epinio-system - - cattle-fleet-system - - cattle-fleet-local-system - - longhorn-system - - cattle-neuvector-system - - cattle-monitoring-system - - rancher-alerting-drivers - - cis-operator-system + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system - cattle-gatekeeper-system - - istio-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio - cattle-istio-system + - cattle-logging - cattle-logging-system - - cattle-windows-gmsa-system - - cattle-sriov-system - - cattle-ui-plugin-system - - tigera-operator + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator + - traefik kind: PodSecurityConfiguration name: PodSecurity path: "" diff --git a/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index e924a4cfffa..d4a4ed070bd 100644 --- a/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -91,6 +91,7 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `calico-apiserver` - `calico-system` - `cattle-alerting` +- `cattle-capi-system` - `cattle-csp-adapter-system` - `cattle-elemental-system` - `cattle-epinio-system` @@ -112,22 +113,25 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `cattle-resources-system` - `cattle-sriov-system` - `cattle-system` +- `cattle-turtles-system` - `cattle-ui-plugin-system` - `cattle-windows-gmsa-system` - `cert-manager` - `cis-operator-system` +- `compliance-operator-system` - `fleet-default` - `fleet-local` -- `ingress-nginx` - `istio-system` - `kube-node-lease` - `kube-public` - `kube-system` - `longhorn-system` - `rancher-alerting-drivers` +- `rancher-compliance-system` - `security-scan` - `sr-operator-system` - `tigera-operator` +- `traefik` Rancher, some Rancher owned charts, and RKE2 and K3s distributions all use these namespaces. A subset of the listed namespaces are already exempt in the built-in Rancher `rancher-restricted` policy, for use in downstream clusters. For a complete template which has all the exemptions you need to run Rancher, please refer to this [sample Admission Configuration](../../../reference-guides/rancher-security/psa-restricted-exemptions.md). diff --git a/versioned_docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md b/versioned_docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md index 09afca597e0..c404dc04bc2 100644 --- a/versioned_docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/versioned_docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -24,46 +24,51 @@ plugins: warn: "restricted" warn-version: "latest" exemptions: - usernames: [] + namespaces: + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system + - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system + - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system + - cattle-gatekeeper-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio + - cattle-istio-system + - cattle-logging + - cattle-logging-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator + - traefik runtimeClasses: [] - namespaces: [calico-apiserver, - calico-system, - cattle-alerting, - cattle-csp-adapter-system, - cattle-elemental-system, - cattle-epinio-system, - cattle-externalip-system, - cattle-fleet-local-system, - cattle-fleet-system, - cattle-gatekeeper-system, - cattle-global-data, - cattle-global-nt, - cattle-impersonation-system, - cattle-istio, - cattle-istio-system, - cattle-logging, - cattle-logging-system, - cattle-monitoring-system, - cattle-neuvector-system, - cattle-prometheus, - cattle-provisioning-capi-system, - cattle-resources-system, - cattle-sriov-system, - cattle-system, - cattle-ui-plugin-system, - cattle-windows-gmsa-system, - cert-manager, - cis-operator-system, - fleet-default, - fleet-local, - ingress-nginx, - istio-system, - kube-node-lease, - kube-public, - kube-system, - longhorn-system, - rancher-alerting-drivers, - security-scan, - sr-operator-system, - tigera-operator] + usernames: [] ```