From b531d548721687921ee9235e40a03f5310cfe5b1 Mon Sep 17 00:00:00 2001 From: Sunil Singh Date: Fri, 6 Mar 2026 14:21:52 -0800 Subject: [PATCH 1/3] Updating ns exemption list in sample configurations. Signed-off-by: Sunil Singh --- .../rancher-psact.yaml | 54 ++++++++--- .../psa-config-templates.md | 4 + .../psa-restricted-exemptions.md | 97 ++++++++++--------- .../rancher-psact.yaml | 50 +++++++--- .../psa-config-templates.md | 8 ++ .../psa-restricted-exemptions.md | 94 +++++++++--------- .../rancher-psact.yaml | 50 +++++++--- .../psa-config-templates.md | 8 ++ .../psa-restricted-exemptions.md | 94 +++++++++--------- .../rancher-psact.yaml | 50 +++++++--- .../psa-config-templates.md | 8 ++ .../psa-restricted-exemptions.md | 94 +++++++++--------- .../rancher-psact.yaml | 54 ++++++++--- .../psa-config-templates.md | 4 + .../psa-restricted-exemptions.md | 97 ++++++++++--------- .../rancher-psact.yaml | 54 ++++++++--- .../psa-config-templates.md | 4 + .../psa-restricted-exemptions.md | 97 ++++++++++--------- 18 files changed, 555 insertions(+), 366 deletions(-) diff --git a/docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index 361adde18a6..b79ecda66e8 100644 --- a/docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -12,28 +12,50 @@ plugins: warn-version: latest exemptions: namespaces: - - ingress-nginx - - kube-system - - cattle-system - - cattle-epinio-system - - cattle-fleet-system - - cattle-fleet-local-system - - longhorn-system - - cattle-neuvector-system - - cattle-monitoring-system - - rancher-alerting-drivers - - cis-operator-system + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system - cattle-gatekeeper-system - - istio-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio - cattle-istio-system + - cattle-logging - cattle-logging-system - - cattle-windows-gmsa-system - - cattle-sriov-system - - cattle-ui-plugin-system - - tigera-operator + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - ingress-nginx + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator kind: PodSecurityConfiguration name: PodSecurity path: "" diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index e924a4cfffa..113bedf35c1 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -91,6 +91,7 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `calico-apiserver` - `calico-system` - `cattle-alerting` +- `cattle-capi-system` - `cattle-csp-adapter-system` - `cattle-elemental-system` - `cattle-epinio-system` @@ -112,10 +113,12 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `cattle-resources-system` - `cattle-sriov-system` - `cattle-system` +- `cattle-turtles-system` - `cattle-ui-plugin-system` - `cattle-windows-gmsa-system` - `cert-manager` - `cis-operator-system` +- `compliance-operator-system` - `fleet-default` - `fleet-local` - `ingress-nginx` @@ -125,6 +128,7 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `kube-system` - `longhorn-system` - `rancher-alerting-drivers` +- `rancher-compliance-system` - `security-scan` - `sr-operator-system` - `tigera-operator` diff --git a/docs/reference-guides/rancher-security/psa-restricted-exemptions.md b/docs/reference-guides/rancher-security/psa-restricted-exemptions.md index 09afca597e0..973a0c878bb 100644 --- a/docs/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/docs/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -14,56 +14,57 @@ kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: - apiVersion: pod-security.admission.config.k8s.io/v1 + apiVersion: pod-security.admission.config.k8s.io/v1beta1 kind: PodSecurityConfiguration defaults: - enforce: "restricted" - enforce-version: "latest" - audit: "restricted" - audit-version: "latest" - warn: "restricted" - warn-version: "latest" + enforce: restricted + enforce-version: latest exemptions: - usernames: [] + namespaces: + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system + - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system + - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system + - cattle-gatekeeper-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio + - cattle-istio-system + - cattle-logging + - cattle-logging-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - ingress-nginx + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator runtimeClasses: [] - namespaces: [calico-apiserver, - calico-system, - cattle-alerting, - cattle-csp-adapter-system, - cattle-elemental-system, - cattle-epinio-system, - cattle-externalip-system, - cattle-fleet-local-system, - cattle-fleet-system, - cattle-gatekeeper-system, - cattle-global-data, - cattle-global-nt, - cattle-impersonation-system, - cattle-istio, - cattle-istio-system, - cattle-logging, - cattle-logging-system, - cattle-monitoring-system, - cattle-neuvector-system, - cattle-prometheus, - cattle-provisioning-capi-system, - cattle-resources-system, - cattle-sriov-system, - cattle-system, - cattle-ui-plugin-system, - cattle-windows-gmsa-system, - cert-manager, - cis-operator-system, - fleet-default, - fleet-local, - ingress-nginx, - istio-system, - kube-node-lease, - kube-public, - kube-system, - longhorn-system, - rancher-alerting-drivers, - security-scan, - sr-operator-system, - tigera-operator] + usernames: [] ``` diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/i18n/zh/docusaurus-plugin-content-docs/current/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index ae248cc9b7c..b79ecda66e8 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/i18n/zh/docusaurus-plugin-content-docs/current/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -12,26 +12,50 @@ plugins: warn-version: latest exemptions: namespaces: - - ingress-nginx - - kube-system - - cattle-system - - cattle-epinio-system - - cattle-fleet-system - - longhorn-system - - cattle-neuvector-system - - cattle-monitoring-system - - rancher-alerting-drivers - - cis-operator-system + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system - cattle-gatekeeper-system - - istio-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio - cattle-istio-system + - cattle-logging - cattle-logging-system - - cattle-windows-gmsa-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system - cattle-sriov-system + - cattle-system + - cattle-turtles-system - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - ingress-nginx + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system - tigera-operator kind: PodSecurityConfiguration name: PodSecurity - path: "" \ No newline at end of file + path: "" diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 22d7033980d..8434d685d9b 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -90,7 +90,9 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `calico-apiserver` - `calico-system` - `cattle-alerting` +- `cattle-capi-system` - `cattle-csp-adapter-system` +- `cattle-elemental-system` - `cattle-epinio-system` - `cattle-externalip-system` - `cattle-fleet-local-system` @@ -106,12 +108,16 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `cattle-monitoring-system` - `cattle-neuvector-system` - `cattle-prometheus` +- `cattle-provisioning-capi-system` +- `cattle-resources-system` - `cattle-sriov-system` - `cattle-system` +- `cattle-turtles-system` - `cattle-ui-plugin-system` - `cattle-windows-gmsa-system` - `cert-manager` - `cis-operator-system` +- `compliance-operator-system` - `fleet-default` - `fleet-local` - `ingress-nginx` @@ -121,7 +127,9 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `kube-system` - `longhorn-system` - `rancher-alerting-drivers` +- `rancher-compliance-system` - `security-scan` +- `sr-operator-system` - `tigera-operator` Rancher、Rancher 拥有的一些 Chart 以及 RKE2 和 K3s 发行版都使用这些命名空间。列出的命名空间的一个子集已经在内置的 Rancher `rancher-restricted` 策略中被豁免,用于下游集群。有关运行 Rancher 所需的所有豁免的完整模板,请参阅此[准入配置示例](../../../reference-guides/rancher-security/psa-restricted-exemptions.md)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-security/psa-restricted-exemptions.md b/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-security/psa-restricted-exemptions.md index d623ef71dfb..76a3032af36 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -10,53 +10,57 @@ kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: - apiVersion: pod-security.admission.config.k8s.io/v1 + apiVersion: pod-security.admission.config.k8s.io/v1beta1 kind: PodSecurityConfiguration defaults: - enforce: "restricted" - enforce-version: "latest" - audit: "restricted" - audit-version: "latest" - warn: "restricted" - warn-version: "latest" + enforce: restricted + enforce-version: latest exemptions: - usernames: [] + namespaces: + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system + - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system + - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system + - cattle-gatekeeper-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio + - cattle-istio-system + - cattle-logging + - cattle-logging-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - ingress-nginx + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator runtimeClasses: [] - namespaces: [calico-apiserver, - calico-system, - cattle-alerting, - cattle-csp-adapter-system, - cattle-elemental-system, - cattle-epinio-system, - cattle-externalip-system, - cattle-fleet-local-system, - cattle-fleet-system, - cattle-gatekeeper-system, - cattle-global-data, - cattle-global-nt, - cattle-impersonation-system, - cattle-istio, - cattle-istio-system, - cattle-logging, - cattle-logging-system, - cattle-monitoring-system, - cattle-neuvector-system, - cattle-prometheus, - cattle-resources-system, - cattle-sriov-system, - cattle-system, - cattle-ui-plugin-system, - cattle-windows-gmsa-system, - cert-manager, - cis-operator-system, - fleet-default, - ingress-nginx, - istio-system, - kube-node-lease, - kube-public, - kube-system, - longhorn-system, - rancher-alerting-drivers, - security-scan, - tigera-operator] + usernames: [] ``` diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index ae248cc9b7c..b79ecda66e8 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -12,26 +12,50 @@ plugins: warn-version: latest exemptions: namespaces: - - ingress-nginx - - kube-system - - cattle-system - - cattle-epinio-system - - cattle-fleet-system - - longhorn-system - - cattle-neuvector-system - - cattle-monitoring-system - - rancher-alerting-drivers - - cis-operator-system + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system - cattle-gatekeeper-system - - istio-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio - cattle-istio-system + - cattle-logging - cattle-logging-system - - cattle-windows-gmsa-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system - cattle-sriov-system + - cattle-system + - cattle-turtles-system - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - ingress-nginx + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system - tigera-operator kind: PodSecurityConfiguration name: PodSecurity - path: "" \ No newline at end of file + path: "" diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 22d7033980d..8434d685d9b 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -90,7 +90,9 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `calico-apiserver` - `calico-system` - `cattle-alerting` +- `cattle-capi-system` - `cattle-csp-adapter-system` +- `cattle-elemental-system` - `cattle-epinio-system` - `cattle-externalip-system` - `cattle-fleet-local-system` @@ -106,12 +108,16 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `cattle-monitoring-system` - `cattle-neuvector-system` - `cattle-prometheus` +- `cattle-provisioning-capi-system` +- `cattle-resources-system` - `cattle-sriov-system` - `cattle-system` +- `cattle-turtles-system` - `cattle-ui-plugin-system` - `cattle-windows-gmsa-system` - `cert-manager` - `cis-operator-system` +- `compliance-operator-system` - `fleet-default` - `fleet-local` - `ingress-nginx` @@ -121,7 +127,9 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `kube-system` - `longhorn-system` - `rancher-alerting-drivers` +- `rancher-compliance-system` - `security-scan` +- `sr-operator-system` - `tigera-operator` Rancher、Rancher 拥有的一些 Chart 以及 RKE2 和 K3s 发行版都使用这些命名空间。列出的命名空间的一个子集已经在内置的 Rancher `rancher-restricted` 策略中被豁免,用于下游集群。有关运行 Rancher 所需的所有豁免的完整模板,请参阅此[准入配置示例](../../../reference-guides/rancher-security/psa-restricted-exemptions.md)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md index d623ef71dfb..76a3032af36 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -10,53 +10,57 @@ kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: - apiVersion: pod-security.admission.config.k8s.io/v1 + apiVersion: pod-security.admission.config.k8s.io/v1beta1 kind: PodSecurityConfiguration defaults: - enforce: "restricted" - enforce-version: "latest" - audit: "restricted" - audit-version: "latest" - warn: "restricted" - warn-version: "latest" + enforce: restricted + enforce-version: latest exemptions: - usernames: [] + namespaces: + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system + - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system + - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system + - cattle-gatekeeper-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio + - cattle-istio-system + - cattle-logging + - cattle-logging-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - ingress-nginx + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator runtimeClasses: [] - namespaces: [calico-apiserver, - calico-system, - cattle-alerting, - cattle-csp-adapter-system, - cattle-elemental-system, - cattle-epinio-system, - cattle-externalip-system, - cattle-fleet-local-system, - cattle-fleet-system, - cattle-gatekeeper-system, - cattle-global-data, - cattle-global-nt, - cattle-impersonation-system, - cattle-istio, - cattle-istio-system, - cattle-logging, - cattle-logging-system, - cattle-monitoring-system, - cattle-neuvector-system, - cattle-prometheus, - cattle-resources-system, - cattle-sriov-system, - cattle-system, - cattle-ui-plugin-system, - cattle-windows-gmsa-system, - cert-manager, - cis-operator-system, - fleet-default, - ingress-nginx, - istio-system, - kube-node-lease, - kube-public, - kube-system, - longhorn-system, - rancher-alerting-drivers, - security-scan, - tigera-operator] + usernames: [] ``` diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index ae248cc9b7c..b79ecda66e8 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -12,26 +12,50 @@ plugins: warn-version: latest exemptions: namespaces: - - ingress-nginx - - kube-system - - cattle-system - - cattle-epinio-system - - cattle-fleet-system - - longhorn-system - - cattle-neuvector-system - - cattle-monitoring-system - - rancher-alerting-drivers - - cis-operator-system + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system - cattle-gatekeeper-system - - istio-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio - cattle-istio-system + - cattle-logging - cattle-logging-system - - cattle-windows-gmsa-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system - cattle-sriov-system + - cattle-system + - cattle-turtles-system - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - ingress-nginx + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system - tigera-operator kind: PodSecurityConfiguration name: PodSecurity - path: "" \ No newline at end of file + path: "" diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 22d7033980d..8434d685d9b 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -90,7 +90,9 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `calico-apiserver` - `calico-system` - `cattle-alerting` +- `cattle-capi-system` - `cattle-csp-adapter-system` +- `cattle-elemental-system` - `cattle-epinio-system` - `cattle-externalip-system` - `cattle-fleet-local-system` @@ -106,12 +108,16 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `cattle-monitoring-system` - `cattle-neuvector-system` - `cattle-prometheus` +- `cattle-provisioning-capi-system` +- `cattle-resources-system` - `cattle-sriov-system` - `cattle-system` +- `cattle-turtles-system` - `cattle-ui-plugin-system` - `cattle-windows-gmsa-system` - `cert-manager` - `cis-operator-system` +- `compliance-operator-system` - `fleet-default` - `fleet-local` - `ingress-nginx` @@ -121,7 +127,9 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `kube-system` - `longhorn-system` - `rancher-alerting-drivers` +- `rancher-compliance-system` - `security-scan` +- `sr-operator-system` - `tigera-operator` Rancher、Rancher 拥有的一些 Chart 以及 RKE2 和 K3s 发行版都使用这些命名空间。列出的命名空间的一个子集已经在内置的 Rancher `rancher-restricted` 策略中被豁免,用于下游集群。有关运行 Rancher 所需的所有豁免的完整模板,请参阅此[准入配置示例](../../../reference-guides/rancher-security/psa-restricted-exemptions.md)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md index d623ef71dfb..76a3032af36 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -10,53 +10,57 @@ kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: - apiVersion: pod-security.admission.config.k8s.io/v1 + apiVersion: pod-security.admission.config.k8s.io/v1beta1 kind: PodSecurityConfiguration defaults: - enforce: "restricted" - enforce-version: "latest" - audit: "restricted" - audit-version: "latest" - warn: "restricted" - warn-version: "latest" + enforce: restricted + enforce-version: latest exemptions: - usernames: [] + namespaces: + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system + - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system + - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system + - cattle-gatekeeper-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio + - cattle-istio-system + - cattle-logging + - cattle-logging-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - ingress-nginx + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator runtimeClasses: [] - namespaces: [calico-apiserver, - calico-system, - cattle-alerting, - cattle-csp-adapter-system, - cattle-elemental-system, - cattle-epinio-system, - cattle-externalip-system, - cattle-fleet-local-system, - cattle-fleet-system, - cattle-gatekeeper-system, - cattle-global-data, - cattle-global-nt, - cattle-impersonation-system, - cattle-istio, - cattle-istio-system, - cattle-logging, - cattle-logging-system, - cattle-monitoring-system, - cattle-neuvector-system, - cattle-prometheus, - cattle-resources-system, - cattle-sriov-system, - cattle-system, - cattle-ui-plugin-system, - cattle-windows-gmsa-system, - cert-manager, - cis-operator-system, - fleet-default, - ingress-nginx, - istio-system, - kube-node-lease, - kube-public, - kube-system, - longhorn-system, - rancher-alerting-drivers, - security-scan, - tigera-operator] + usernames: [] ``` diff --git a/versioned_docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/versioned_docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index 361adde18a6..b79ecda66e8 100644 --- a/versioned_docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/versioned_docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -12,28 +12,50 @@ plugins: warn-version: latest exemptions: namespaces: - - ingress-nginx - - kube-system - - cattle-system - - cattle-epinio-system - - cattle-fleet-system - - cattle-fleet-local-system - - longhorn-system - - cattle-neuvector-system - - cattle-monitoring-system - - rancher-alerting-drivers - - cis-operator-system + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system - cattle-gatekeeper-system - - istio-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio - cattle-istio-system + - cattle-logging - cattle-logging-system - - cattle-windows-gmsa-system - - cattle-sriov-system - - cattle-ui-plugin-system - - tigera-operator + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - ingress-nginx + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator kind: PodSecurityConfiguration name: PodSecurity path: "" diff --git a/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index e924a4cfffa..113bedf35c1 100644 --- a/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -91,6 +91,7 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `calico-apiserver` - `calico-system` - `cattle-alerting` +- `cattle-capi-system` - `cattle-csp-adapter-system` - `cattle-elemental-system` - `cattle-epinio-system` @@ -112,10 +113,12 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `cattle-resources-system` - `cattle-sriov-system` - `cattle-system` +- `cattle-turtles-system` - `cattle-ui-plugin-system` - `cattle-windows-gmsa-system` - `cert-manager` - `cis-operator-system` +- `compliance-operator-system` - `fleet-default` - `fleet-local` - `ingress-nginx` @@ -125,6 +128,7 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `kube-system` - `longhorn-system` - `rancher-alerting-drivers` +- `rancher-compliance-system` - `security-scan` - `sr-operator-system` - `tigera-operator` diff --git a/versioned_docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md b/versioned_docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md index 09afca597e0..973a0c878bb 100644 --- a/versioned_docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/versioned_docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -14,56 +14,57 @@ kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: - apiVersion: pod-security.admission.config.k8s.io/v1 + apiVersion: pod-security.admission.config.k8s.io/v1beta1 kind: PodSecurityConfiguration defaults: - enforce: "restricted" - enforce-version: "latest" - audit: "restricted" - audit-version: "latest" - warn: "restricted" - warn-version: "latest" + enforce: restricted + enforce-version: latest exemptions: - usernames: [] + namespaces: + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system + - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system + - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system + - cattle-gatekeeper-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio + - cattle-istio-system + - cattle-logging + - cattle-logging-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - ingress-nginx + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator runtimeClasses: [] - namespaces: [calico-apiserver, - calico-system, - cattle-alerting, - cattle-csp-adapter-system, - cattle-elemental-system, - cattle-epinio-system, - cattle-externalip-system, - cattle-fleet-local-system, - cattle-fleet-system, - cattle-gatekeeper-system, - cattle-global-data, - cattle-global-nt, - cattle-impersonation-system, - cattle-istio, - cattle-istio-system, - cattle-logging, - cattle-logging-system, - cattle-monitoring-system, - cattle-neuvector-system, - cattle-prometheus, - cattle-provisioning-capi-system, - cattle-resources-system, - cattle-sriov-system, - cattle-system, - cattle-ui-plugin-system, - cattle-windows-gmsa-system, - cert-manager, - cis-operator-system, - fleet-default, - fleet-local, - ingress-nginx, - istio-system, - kube-node-lease, - kube-public, - kube-system, - longhorn-system, - rancher-alerting-drivers, - security-scan, - sr-operator-system, - tigera-operator] + usernames: [] ``` diff --git a/versioned_docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/versioned_docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index 361adde18a6..b79ecda66e8 100644 --- a/versioned_docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/versioned_docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -12,28 +12,50 @@ plugins: warn-version: latest exemptions: namespaces: - - ingress-nginx - - kube-system - - cattle-system - - cattle-epinio-system - - cattle-fleet-system - - cattle-fleet-local-system - - longhorn-system - - cattle-neuvector-system - - cattle-monitoring-system - - rancher-alerting-drivers - - cis-operator-system + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system - cattle-gatekeeper-system - - istio-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio - cattle-istio-system + - cattle-logging - cattle-logging-system - - cattle-windows-gmsa-system - - cattle-sriov-system - - cattle-ui-plugin-system - - tigera-operator + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - ingress-nginx + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator kind: PodSecurityConfiguration name: PodSecurity path: "" diff --git a/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index e924a4cfffa..113bedf35c1 100644 --- a/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -91,6 +91,7 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `calico-apiserver` - `calico-system` - `cattle-alerting` +- `cattle-capi-system` - `cattle-csp-adapter-system` - `cattle-elemental-system` - `cattle-epinio-system` @@ -112,10 +113,12 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `cattle-resources-system` - `cattle-sriov-system` - `cattle-system` +- `cattle-turtles-system` - `cattle-ui-plugin-system` - `cattle-windows-gmsa-system` - `cert-manager` - `cis-operator-system` +- `compliance-operator-system` - `fleet-default` - `fleet-local` - `ingress-nginx` @@ -125,6 +128,7 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `kube-system` - `longhorn-system` - `rancher-alerting-drivers` +- `rancher-compliance-system` - `security-scan` - `sr-operator-system` - `tigera-operator` diff --git a/versioned_docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md b/versioned_docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md index 09afca597e0..973a0c878bb 100644 --- a/versioned_docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/versioned_docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -14,56 +14,57 @@ kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: - apiVersion: pod-security.admission.config.k8s.io/v1 + apiVersion: pod-security.admission.config.k8s.io/v1beta1 kind: PodSecurityConfiguration defaults: - enforce: "restricted" - enforce-version: "latest" - audit: "restricted" - audit-version: "latest" - warn: "restricted" - warn-version: "latest" + enforce: restricted + enforce-version: latest exemptions: - usernames: [] + namespaces: + - calico-apiserver + - calico-system + - cattle-alerting + - cattle-capi-system + - cattle-csp-adapter-system + - cattle-elemental-system + - cattle-epinio-system + - cattle-externalip-system + - cattle-fleet-local-system + - cattle-fleet-system + - cattle-gatekeeper-system + - cattle-global-data + - cattle-global-nt + - cattle-impersonation-system + - cattle-istio + - cattle-istio-system + - cattle-logging + - cattle-logging-system + - cattle-monitoring-system + - cattle-neuvector-system + - cattle-prometheus + - cattle-provisioning-capi-system + - cattle-resources-system + - cattle-sriov-system + - cattle-system + - cattle-turtles-system + - cattle-ui-plugin-system + - cattle-windows-gmsa-system + - cert-manager + - cis-operator-system + - compliance-operator-system + - fleet-default + - fleet-local + - ingress-nginx + - istio-system + - kube-node-lease + - kube-public + - kube-system + - longhorn-system + - rancher-alerting-drivers + - rancher-compliance-system + - security-scan + - sr-operator-system + - tigera-operator runtimeClasses: [] - namespaces: [calico-apiserver, - calico-system, - cattle-alerting, - cattle-csp-adapter-system, - cattle-elemental-system, - cattle-epinio-system, - cattle-externalip-system, - cattle-fleet-local-system, - cattle-fleet-system, - cattle-gatekeeper-system, - cattle-global-data, - cattle-global-nt, - cattle-impersonation-system, - cattle-istio, - cattle-istio-system, - cattle-logging, - cattle-logging-system, - cattle-monitoring-system, - cattle-neuvector-system, - cattle-prometheus, - cattle-provisioning-capi-system, - cattle-resources-system, - cattle-sriov-system, - cattle-system, - cattle-ui-plugin-system, - cattle-windows-gmsa-system, - cert-manager, - cis-operator-system, - fleet-default, - fleet-local, - ingress-nginx, - istio-system, - kube-node-lease, - kube-public, - kube-system, - longhorn-system, - rancher-alerting-drivers, - security-scan, - sr-operator-system, - tigera-operator] + usernames: [] ``` From 473eea4b4141fb889464db4cdf7ee5071d09bcca Mon Sep 17 00:00:00 2001 From: Sunil Singh Date: Mon, 9 Mar 2026 14:16:40 -0700 Subject: [PATCH 2/3] Update code block after review Signed-off-by: Sunil Singh --- .../rancher-security/psa-restricted-exemptions.md | 10 +++++++--- .../rancher-security/psa-restricted-exemptions.md | 10 +++++++--- .../rancher-security/psa-restricted-exemptions.md | 10 +++++++--- .../rancher-security/psa-restricted-exemptions.md | 10 +++++++--- .../rancher-security/psa-restricted-exemptions.md | 10 +++++++--- .../rancher-security/psa-restricted-exemptions.md | 10 +++++++--- 6 files changed, 42 insertions(+), 18 deletions(-) diff --git a/docs/reference-guides/rancher-security/psa-restricted-exemptions.md b/docs/reference-guides/rancher-security/psa-restricted-exemptions.md index 973a0c878bb..d54afa9b708 100644 --- a/docs/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/docs/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -14,11 +14,15 @@ kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: - apiVersion: pod-security.admission.config.k8s.io/v1beta1 + apiVersion: pod-security.admission.config.k8s.io/v1 kind: PodSecurityConfiguration defaults: - enforce: restricted - enforce-version: latest + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" exemptions: namespaces: - calico-apiserver diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-security/psa-restricted-exemptions.md b/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-security/psa-restricted-exemptions.md index 76a3032af36..5618bc10850 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -10,11 +10,15 @@ kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: - apiVersion: pod-security.admission.config.k8s.io/v1beta1 + apiVersion: pod-security.admission.config.k8s.io/v1 kind: PodSecurityConfiguration defaults: - enforce: restricted - enforce-version: latest + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" exemptions: namespaces: - calico-apiserver diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md index 76a3032af36..5618bc10850 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -10,11 +10,15 @@ kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: - apiVersion: pod-security.admission.config.k8s.io/v1beta1 + apiVersion: pod-security.admission.config.k8s.io/v1 kind: PodSecurityConfiguration defaults: - enforce: restricted - enforce-version: latest + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" exemptions: namespaces: - calico-apiserver diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md index 76a3032af36..5618bc10850 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -10,11 +10,15 @@ kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: - apiVersion: pod-security.admission.config.k8s.io/v1beta1 + apiVersion: pod-security.admission.config.k8s.io/v1 kind: PodSecurityConfiguration defaults: - enforce: restricted - enforce-version: latest + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" exemptions: namespaces: - calico-apiserver diff --git a/versioned_docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md b/versioned_docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md index 973a0c878bb..d54afa9b708 100644 --- a/versioned_docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/versioned_docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -14,11 +14,15 @@ kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: - apiVersion: pod-security.admission.config.k8s.io/v1beta1 + apiVersion: pod-security.admission.config.k8s.io/v1 kind: PodSecurityConfiguration defaults: - enforce: restricted - enforce-version: latest + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" exemptions: namespaces: - calico-apiserver diff --git a/versioned_docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md b/versioned_docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md index 973a0c878bb..d54afa9b708 100644 --- a/versioned_docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/versioned_docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -14,11 +14,15 @@ kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: - apiVersion: pod-security.admission.config.k8s.io/v1beta1 + apiVersion: pod-security.admission.config.k8s.io/v1 kind: PodSecurityConfiguration defaults: - enforce: restricted - enforce-version: latest + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" exemptions: namespaces: - calico-apiserver From dd90555a6479a0fc500d68e51327fdfa356f633f Mon Sep 17 00:00:00 2001 From: Sunil Singh Date: Thu, 12 Mar 2026 11:12:28 -0700 Subject: [PATCH 3/3] Removing ingress-nginx due to deprecation and replacing with traefik. Signed-off-by: Sunil Singh --- .../install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml | 2 +- .../psa-config-templates.md | 2 +- .../rancher-security/psa-restricted-exemptions.md | 2 +- .../install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml | 2 +- .../psa-config-templates.md | 2 +- .../rancher-security/psa-restricted-exemptions.md | 2 +- .../install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml | 2 +- .../psa-config-templates.md | 2 +- .../rancher-security/psa-restricted-exemptions.md | 2 +- .../install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml | 2 +- .../psa-config-templates.md | 2 +- .../rancher-security/psa-restricted-exemptions.md | 2 +- .../install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml | 2 +- .../psa-config-templates.md | 2 +- .../rancher-security/psa-restricted-exemptions.md | 2 +- .../install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml | 2 +- .../psa-config-templates.md | 2 +- .../rancher-security/psa-restricted-exemptions.md | 2 +- 18 files changed, 18 insertions(+), 18 deletions(-) diff --git a/docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index b79ecda66e8..0b0fb33c74d 100644 --- a/docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -45,7 +45,6 @@ plugins: - compliance-operator-system - fleet-default - fleet-local - - ingress-nginx - istio-system - kube-node-lease - kube-public @@ -56,6 +55,7 @@ plugins: - security-scan - sr-operator-system - tigera-operator + - traefik kind: PodSecurityConfiguration name: PodSecurity path: "" diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 113bedf35c1..d4a4ed070bd 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -121,7 +121,6 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `compliance-operator-system` - `fleet-default` - `fleet-local` -- `ingress-nginx` - `istio-system` - `kube-node-lease` - `kube-public` @@ -132,6 +131,7 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `security-scan` - `sr-operator-system` - `tigera-operator` +- `traefik` Rancher, some Rancher owned charts, and RKE2 and K3s distributions all use these namespaces. A subset of the listed namespaces are already exempt in the built-in Rancher `rancher-restricted` policy, for use in downstream clusters. For a complete template which has all the exemptions you need to run Rancher, please refer to this [sample Admission Configuration](../../../reference-guides/rancher-security/psa-restricted-exemptions.md). diff --git a/docs/reference-guides/rancher-security/psa-restricted-exemptions.md b/docs/reference-guides/rancher-security/psa-restricted-exemptions.md index d54afa9b708..c404dc04bc2 100644 --- a/docs/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/docs/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -58,7 +58,6 @@ plugins: - compliance-operator-system - fleet-default - fleet-local - - ingress-nginx - istio-system - kube-node-lease - kube-public @@ -69,6 +68,7 @@ plugins: - security-scan - sr-operator-system - tigera-operator + - traefik runtimeClasses: [] usernames: [] ``` diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/i18n/zh/docusaurus-plugin-content-docs/current/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index b79ecda66e8..0b0fb33c74d 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/i18n/zh/docusaurus-plugin-content-docs/current/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -45,7 +45,6 @@ plugins: - compliance-operator-system - fleet-default - fleet-local - - ingress-nginx - istio-system - kube-node-lease - kube-public @@ -56,6 +55,7 @@ plugins: - security-scan - sr-operator-system - tigera-operator + - traefik kind: PodSecurityConfiguration name: PodSecurity path: "" diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 8434d685d9b..8f3969f36ad 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -120,7 +120,6 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `compliance-operator-system` - `fleet-default` - `fleet-local` -- `ingress-nginx` - `istio-system` - `kube-node-lease` - `kube-public` @@ -131,6 +130,7 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `security-scan` - `sr-operator-system` - `tigera-operator` +- `traefik` Rancher、Rancher 拥有的一些 Chart 以及 RKE2 和 K3s 发行版都使用这些命名空间。列出的命名空间的一个子集已经在内置的 Rancher `rancher-restricted` 策略中被豁免,用于下游集群。有关运行 Rancher 所需的所有豁免的完整模板,请参阅此[准入配置示例](../../../reference-guides/rancher-security/psa-restricted-exemptions.md)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-security/psa-restricted-exemptions.md b/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-security/psa-restricted-exemptions.md index 5618bc10850..05462e2c546 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -54,7 +54,6 @@ plugins: - compliance-operator-system - fleet-default - fleet-local - - ingress-nginx - istio-system - kube-node-lease - kube-public @@ -65,6 +64,7 @@ plugins: - security-scan - sr-operator-system - tigera-operator + - traefik runtimeClasses: [] usernames: [] ``` diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index b79ecda66e8..0b0fb33c74d 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -45,7 +45,6 @@ plugins: - compliance-operator-system - fleet-default - fleet-local - - ingress-nginx - istio-system - kube-node-lease - kube-public @@ -56,6 +55,7 @@ plugins: - security-scan - sr-operator-system - tigera-operator + - traefik kind: PodSecurityConfiguration name: PodSecurity path: "" diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 8434d685d9b..8f3969f36ad 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -120,7 +120,6 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `compliance-operator-system` - `fleet-default` - `fleet-local` -- `ingress-nginx` - `istio-system` - `kube-node-lease` - `kube-public` @@ -131,6 +130,7 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `security-scan` - `sr-operator-system` - `tigera-operator` +- `traefik` Rancher、Rancher 拥有的一些 Chart 以及 RKE2 和 K3s 发行版都使用这些命名空间。列出的命名空间的一个子集已经在内置的 Rancher `rancher-restricted` 策略中被豁免,用于下游集群。有关运行 Rancher 所需的所有豁免的完整模板,请参阅此[准入配置示例](../../../reference-guides/rancher-security/psa-restricted-exemptions.md)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md index 5618bc10850..05462e2c546 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -54,7 +54,6 @@ plugins: - compliance-operator-system - fleet-default - fleet-local - - ingress-nginx - istio-system - kube-node-lease - kube-public @@ -65,6 +64,7 @@ plugins: - security-scan - sr-operator-system - tigera-operator + - traefik runtimeClasses: [] usernames: [] ``` diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index b79ecda66e8..0b0fb33c74d 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -45,7 +45,6 @@ plugins: - compliance-operator-system - fleet-default - fleet-local - - ingress-nginx - istio-system - kube-node-lease - kube-public @@ -56,6 +55,7 @@ plugins: - security-scan - sr-operator-system - tigera-operator + - traefik kind: PodSecurityConfiguration name: PodSecurity path: "" diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 8434d685d9b..8f3969f36ad 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -120,7 +120,6 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `compliance-operator-system` - `fleet-default` - `fleet-local` -- `ingress-nginx` - `istio-system` - `kube-node-lease` - `kube-public` @@ -131,6 +130,7 @@ The policies shipped by default in Rancher aim to provide a trade-off between se - `security-scan` - `sr-operator-system` - `tigera-operator` +- `traefik` Rancher、Rancher 拥有的一些 Chart 以及 RKE2 和 K3s 发行版都使用这些命名空间。列出的命名空间的一个子集已经在内置的 Rancher `rancher-restricted` 策略中被豁免,用于下游集群。有关运行 Rancher 所需的所有豁免的完整模板,请参阅此[准入配置示例](../../../reference-guides/rancher-security/psa-restricted-exemptions.md)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md index 5618bc10850..05462e2c546 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -54,7 +54,6 @@ plugins: - compliance-operator-system - fleet-default - fleet-local - - ingress-nginx - istio-system - kube-node-lease - kube-public @@ -65,6 +64,7 @@ plugins: - security-scan - sr-operator-system - tigera-operator + - traefik runtimeClasses: [] usernames: [] ``` diff --git a/versioned_docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/versioned_docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index b79ecda66e8..0b0fb33c74d 100644 --- a/versioned_docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/versioned_docs/version-2.13/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -45,7 +45,6 @@ plugins: - compliance-operator-system - fleet-default - fleet-local - - ingress-nginx - istio-system - kube-node-lease - kube-public @@ -56,6 +55,7 @@ plugins: - security-scan - sr-operator-system - tigera-operator + - traefik kind: PodSecurityConfiguration name: PodSecurity path: "" diff --git a/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 113bedf35c1..d4a4ed070bd 100644 --- a/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/versioned_docs/version-2.13/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -121,7 +121,6 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `compliance-operator-system` - `fleet-default` - `fleet-local` -- `ingress-nginx` - `istio-system` - `kube-node-lease` - `kube-public` @@ -132,6 +131,7 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `security-scan` - `sr-operator-system` - `tigera-operator` +- `traefik` Rancher, some Rancher owned charts, and RKE2 and K3s distributions all use these namespaces. A subset of the listed namespaces are already exempt in the built-in Rancher `rancher-restricted` policy, for use in downstream clusters. For a complete template which has all the exemptions you need to run Rancher, please refer to this [sample Admission Configuration](../../../reference-guides/rancher-security/psa-restricted-exemptions.md). diff --git a/versioned_docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md b/versioned_docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md index d54afa9b708..c404dc04bc2 100644 --- a/versioned_docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/versioned_docs/version-2.13/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -58,7 +58,6 @@ plugins: - compliance-operator-system - fleet-default - fleet-local - - ingress-nginx - istio-system - kube-node-lease - kube-public @@ -69,6 +68,7 @@ plugins: - security-scan - sr-operator-system - tigera-operator + - traefik runtimeClasses: [] usernames: [] ``` diff --git a/versioned_docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml b/versioned_docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml index b79ecda66e8..0b0fb33c74d 100644 --- a/versioned_docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml +++ b/versioned_docs/version-2.14/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml @@ -45,7 +45,6 @@ plugins: - compliance-operator-system - fleet-default - fleet-local - - ingress-nginx - istio-system - kube-node-lease - kube-public @@ -56,6 +55,7 @@ plugins: - security-scan - sr-operator-system - tigera-operator + - traefik kind: PodSecurityConfiguration name: PodSecurity path: "" diff --git a/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md b/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md index 113bedf35c1..d4a4ed070bd 100644 --- a/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md +++ b/versioned_docs/version-2.14/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates.md @@ -121,7 +121,6 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `compliance-operator-system` - `fleet-default` - `fleet-local` -- `ingress-nginx` - `istio-system` - `kube-node-lease` - `kube-public` @@ -132,6 +131,7 @@ When you run Rancher on a Kubernetes cluster that enforces a restrictive securit - `security-scan` - `sr-operator-system` - `tigera-operator` +- `traefik` Rancher, some Rancher owned charts, and RKE2 and K3s distributions all use these namespaces. A subset of the listed namespaces are already exempt in the built-in Rancher `rancher-restricted` policy, for use in downstream clusters. For a complete template which has all the exemptions you need to run Rancher, please refer to this [sample Admission Configuration](../../../reference-guides/rancher-security/psa-restricted-exemptions.md). diff --git a/versioned_docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md b/versioned_docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md index d54afa9b708..c404dc04bc2 100644 --- a/versioned_docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md +++ b/versioned_docs/version-2.14/reference-guides/rancher-security/psa-restricted-exemptions.md @@ -58,7 +58,6 @@ plugins: - compliance-operator-system - fleet-default - fleet-local - - ingress-nginx - istio-system - kube-node-lease - kube-public @@ -69,6 +68,7 @@ plugins: - security-scan - sr-operator-system - tigera-operator + - traefik runtimeClasses: [] usernames: [] ```