mirror of
https://github.com/rancher/rancher-docs.git
synced 2026-05-05 20:53:33 +00:00
Billy Tat
24fc5a657c
* Sync main to v2.13.0 (#2065) * It's bad form to ask users to pass something they just curled from the internet directly to sh Updated the instructions for uninstalling the rancher-system-agent to use a temporary script file instead of piping directly to sh. * doc(rancher-security): improve structure and content to latest, v2.13-preview and v2.12 (#2024) - add Rancher Kubernetes Distributions (K3s/RKE2) Self-Assessment and Hardening Guide section - add kubernetes cluster security best practices link to rancher-security section - add k3s-selinux and update selinux-rpm details - remove rhel/centos 7 support Signed-off-by: Andy Pitcher <andy.pitcher@suse.com> * Updating across supported versions and translations. Signed-off-by: Sunil Singh <sunil.singh@suse.com> --------- Signed-off-by: Andy Pitcher <andy.pitcher@suse.com> Signed-off-by: Sunil Singh <sunil.singh@suse.com> Co-authored-by: Tejeev <tj@rancher.com> Co-authored-by: Andy Pitcher <andy.pitcher@suse.com> Co-authored-by: Sunil Singh <sunil.singh@suse.com> * Update roletemplate aggregation doc and version information * Add versioned docs * Remove ext token and kubeconfig feature flag sections and document bearer Token * Update corresponding v2.13 pages * update doc for pni in gke * Adding reverted session idle information from PR 1653 Signed-off-by: Sunil Singh <sunil.singh@suse.com> * [2.13.0] Add versions table entry * [2.13.0] Add webhook version * [2.13.0] Add CSP Adapter version * [2.13.0] Add deprecated feature table entry * [2.13.0] Update CNI popularity stats * Update GKE Cluster Configuration for Project Network Isolation instructions * Fix link and port to 2.13 * [2.13.0] Add Swagger JSON * [v2.13.0] Add info about Azure AD Roles claims (#2079) * Add info about Azure AD roles claims compatibility * Apply suggestions from code review Co-authored-by: Sunil Singh <sunil.singh@suse.com> * Add suggestions to v2.13 --------- Co-authored-by: Sunil Singh <sunil.singh@suse.com> * [2.13.0] Remove preview designation * user public api docs (#2069) * user public api docs * Apply suggestions from code review Co-authored-by: Andreas Kupries <akupries@suse.com> * Apply suggestions from code review Co-authored-by: Peter Matseykanets <pmatseykanets@gmail.com> * explain plaintext is never stored * add users 2.13 versioned docs * remove extra ``` * Apply suggestions from code review Co-authored-by: Lucas Saintarbor <lucas.saintarbor@suse.com> * add space before code block --------- Co-authored-by: Andreas Kupries <akupries@suse.com> Co-authored-by: Peter Matseykanets <pmatseykanets@gmail.com> Co-authored-by: Lucas Saintarbor <lucas.saintarbor@suse.com> * support IPv6 (#2041) * [v2.13.0] Add Configure GitHub App page (#2081) * Add Configure GitHub App page * Apply suggestions from code review Co-authored-by: Billy Tat <btat@suse.com> * Fix header/GH URL & add suggestions to v2.13 * Apply suggestions from code review Co-authored-by: Petr Kovar <pknbe@volny.cz> * Apply suggestions from code review to v2.13 * Add note describing why to use Installation ID * Apply suggestions from code review Co-authored-by: Billy Tat <btat@suse.com> --------- Co-authored-by: Billy Tat <btat@suse.com> Co-authored-by: Petr Kovar <pknbe@volny.cz> * [v2.13.0] Add info about Generic OIDC Custom Mapping (#2080) * Add info about Generic OIDC Custom Mapping * Apply suggestions from code review Co-authored-by: Sunil Singh <sunil.singh@suse.com> Co-authored-by: Billy Tat <btat@suse.com> * Apply suggestions from code review Co-authored-by: Sunil Singh <sunil.singh@suse.com> Co-authored-by: Billy Tat <btat@suse.com> * Add suggestions to v2.13 * Remove repetitive statement in intro * Move Prereq intro/note to appropriate section * Fix formatting, UI typo, add Custom Claims section under Configuration Reference section * Add section about how a custom groups claim works / note about search limitations for groups in RBAC --------- Co-authored-by: Sunil Singh <sunil.singh@suse.com> Co-authored-by: Billy Tat <btat@suse.com> * [v2.13.0] Add info about OIDC SLO support (#2086) * Add shared file covering OIDC SLO support to OIDC auth pages * Ad How to get the End Session Endpoint steps * Add generic curl exampleto retrieve end_session_endpoint * [2.13.0] Bump release date --------- Signed-off-by: Andy Pitcher <andy.pitcher@suse.com> Signed-off-by: Sunil Singh <sunil.singh@suse.com> Co-authored-by: Lucas Saintarbor <lucas.saintarbor@suse.com> Co-authored-by: Tejeev <tj@rancher.com> Co-authored-by: Andy Pitcher <andy.pitcher@suse.com> Co-authored-by: Sunil Singh <sunil.singh@suse.com> Co-authored-by: Jonathan Crowther <jonathan.crowther@suse.com> Co-authored-by: Peter Matseykanets <peter.matseykanets@suse.com> Co-authored-by: Petr Kovar <petr.kovar@suse.com> Co-authored-by: Krunal Hingu <krunal.hingu222@gmail.com> Co-authored-by: Raul Cabello Martin <raul.cabello@suse.com> Co-authored-by: Andreas Kupries <akupries@suse.com> Co-authored-by: Peter Matseykanets <pmatseykanets@gmail.com> Co-authored-by: Jack Luo <jiaqi.luo@suse.com> Co-authored-by: Petr Kovar <pknbe@volny.cz>
8.7 KiB
8.7 KiB
title
| title |
|---|
| Feature Flags |
With feature flags, you can try out optional or experimental features, and enable legacy features that are being phased out.
To learn more about feature values and how to enable them, see Enabling Experimental Features.
:::note
Some feature flags require a restart of the Rancher container. Features that require a restart are marked in the Rancher UI.
:::
The following is a list of feature flags available in Rancher. If you've upgraded from a previous Rancher version, you may see additional flags in the Rancher UI, such as proxy or dashboard (both discontinued):
aggregated-roletemplates: Use cluster role aggregation architecture for RoleTemplates, ProjectRoleTemplateBindings, and ClusterRoleTemplateBindings. See RoleTemplate Aggregation for more information.clean-stale-secrets: Removes stale secrets from thecattle-impersonation-systemnamespace. This slowly cleans up old secrets which are no longer being used by the impersonation system.continuous-delivery: Allows Fleet GitOps to be disabled separately from Fleet. See Continuous Delivery. for more information.fleet: The Rancher provisioning framework in v2.6 and later requires Fleet. The flag will be automatically enabled when you upgrade, even if you disabled this flag in an earlier version of Rancher. See Continuous Delivery with Fleet for more information.harvester: Manages access to the Virtualization Management page, where users can navigate directly to Harvester clusters and access the Harvester UI. See Harvester Integration Overview for more information.imperative-api-extension: Enables Rancher's extension API server to register new APIs to Kubernetes. This flag is enabled by default. See the Extension API Server page for more information.istio-virtual-service-ui: Enables a visual interface to create, read, update, and delete Istio virtual services and destination rules, which are Istio traffic management features.legacy: Enables a set of features from 2.5.x and earlier, that are slowly being phased out in favor of newer implementations. These are a mix of deprecated features as well as features that will eventually be available to newer versions. This flag is disabled by default on new Rancher installations. If you're upgrading from a previous version of Rancher, this flag is enabled.managed-system-upgrade-controller: Enables the installation of the system-upgrade-controller app in downstream imported RKE2/K3s clusters, as well as in the local cluster if it is an RKE2/K3s cluster.
:::note Important:
This managed-system-upgrade-controller flag is intended for internal use only and does not have an associated Feature CR. Use with caution.
To control whether Rancher should manage the Kubernetes version of imported RKE2/K3s clusters, it is recommended to use the imported-cluster-version-management feature that is available in Rancher v2.11.0 or newer.
:::
:::danger
If the managed-system-upgrade-controller flag was disabled in Rancher v2.10.x, and any imported RKE2/K3s clusters were upgraded outside of Rancher, follow the steps below to prevent the unexpected installation of the system-upgrade-controller app and to ensure the imported-cluster-version-management feature works correctly:
- Upgrade Rancher to v2.11.0 or newer, making sure to retain the
managed-system-upgrade-controller=falsefeature flag in Helm values if it was set during the v2.10.x installation. - After Rancher is fully up and running, disable the
imported-cluster-version-managementsetting. You can do this either through the Rancher UI by clicking ☰ > Global Settings > Settings > imported-cluster-version-management, or by editing the correspondingSetting.management.cattle.io/v3custom resource via kubectl. - Perform a second Helm upgrade, this time omitting the
managed-system-upgrade-controller=falsefeature flag.
Now, the imported cluster version management is disabled by default, and Rancher no longer installs the system-upgrade-controller app on imported clusters automatically.
You can enable this feature on a per-cluster basis. For more information, please refer to the documentation.
:::
multi-cluster-management: Allows multi-cluster provisioning and management of Kubernetes clusters. This flag can only be set at install time. It can't be enabled or disabled later.rke2: Enables provisioning RKE2 clusters. This flag is enabled by default.token-hashing: Enables token hashing. Once enabled, existing tokens will be hashed and all new tokens will be hashed automatically with the SHA256 algorithm. Once a token is hashed it can't be undone. This flag can't be disabled after its enabled. See API Tokens for more information.uiextension: Enables UI extensions. This flag is enabled by default. Enabling or disabling the flag forces the Rancher pod to restart. The first time this flag is set toActive, it creates a CRD and enables the controllers and endpoints necessary for the feature to work. If set toDisabled, it disables the previously mentioned controllers and endpoints. SettinguiextensiontoDisabledhas no effect on the CRD -- it does not create a CRD if it does not yet exist, nor does it delete the CRD if it already exists.unsupported-storage-drivers: Enables types for storage providers and provisioners that aren't enabled by default. See Allow Unsupported Storage Drivers for more information.ui-sql-cache: Enables an SQLite-based cache for UI tables and Server-Side Pagination. See UI Server-Side Pagination for more information.
The following table shows the availability and default values for some feature flags in Rancher. Features marked "GA" are generally available:
| Feature Flag Name | Default Value | Status | Available As Of | Additional Information |
|---|---|---|---|---|
aggregated-roletemplates |
Disabled |
Experimental | v2.11.0 | This flag value is locked on install and can't be changed. |
clean-stale-secrets |
Active |
GA | v2.10.2 | |
continuous-delivery |
Active |
GA | v2.6.0 | |
external-rules |
v2.7.14: Disabled, v2.8.5: Active |
Removed | v2.7.14, v2.8.5 | This flag affected external RoleTemplate behavior. It is removed in Rancher v2.9.0 and later as the behavior is enabled by default. |
fleet |
Active |
Can no longer be disabled | v2.6.0 | |
fleet |
Active |
GA | v2.5.0 | |
harvester |
Active |
Experimental | v2.6.1 | |
imperative-api-extension |
Active |
GA | v2.11.0 | |
legacy |
Disabled for new installs, Active for upgrades |
GA | v2.6.0 | |
managed-system-upgrade-controller |
Active |
GA | v2.10.0 | |
rke2 |
true |
Experimental | v2.6.0 | |
token-hashing |
Disabled for new installs, Active for upgrades |
GA | v2.6.0 | |
uiextension |
Active |
GA | v2.9.0 | |
ui-sql-cache |
Active |
GA | v2.9.0 |