Merge pull request rancher#481 from rancher/release/v2.7.2

Publishing v2.7.2 docs

.gitignore

@@ -17,4 +17,6 @@
 
 npm-debug.log*
 yarn-debug.log*
-yarn-error.log*
+yarn-error.log*
+
+.idea/

docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-psact.yaml

@@ -0,0 +1,37 @@
+apiVersion: apiserver.config.k8s.io/v1
+kind: AdmissionConfiguration
+plugins:
+- configuration:
+    apiVersion: pod-security.admission.config.k8s.io/v1
+    defaults:
+      audit: restricted
+      audit-version: latest
+      enforce: restricted
+      enforce-version: latest
+      warn: restricted
+      warn-version: latest
+    exemptions:
+      namespaces:
+      - ingress-nginx
+      - kube-system
+      - cattle-system
+      - cattle-epinio-system
+      - cattle-fleet-system
+      - longhorn-system
+      - cattle-neuvector-system
+      - cattle-monitoring-system
+      - rancher-alerting-drivers
+      - cis-operator-system
+      - cattle-csp-adapter-system
+      - cattle-externalip-system
+      - cattle-gatekeeper-system
+      - istio-system
+      - cattle-istio-system
+      - cattle-logging-system
+      - cattle-windows-gmsa-system
+      - cattle-sriov-system
+      - cattle-ui-plugin-system
+      - tigera-operator
+    kind: PodSecurityConfiguration
+  name: PodSecurity
+  path: ""

docs/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/upgrade-a-hardened-cluster-to-k8s-v1-25.md

@@ -0,0 +1,62 @@
+---
+title: Upgrade a Hardened Custom/Imported Cluster to Kubernetes v1.25
+---
+
+Kubernetes v1.25 changes how clusters describe and implement security policies. From this version forward, [Pod Security Policies (PSPs)](https://kubernetes.io/docs/concepts/security/pod-security-policy/) are no longer available. Kubernetes v1.25 replaces them with new security objects: [Pod Security Standards (PSS)](https://kubernetes.io/docs/concepts/security/pod-security-standards/), and [Pod Security Admissions (PSAs)](https://kubernetes.io/docs/concepts/security/pod-security-admission/). 
+
+If you have custom or imported hardened clusters, you must make special preparations to ensure that the upgrade from an earlier version of Kubernetes to v1.25 or later goes smoothly.
+
+## Upgrading Imported Hardened Clusters to Kubernetes v1.25 or Later
+
+<Tabs groupId="k8s-distro">
+<TabItem value="RKE2" default>
+
+Perform the following on each node in the cluster: 
+1. Save [`rancher-psact.yaml`](./rancher-psact.yaml) in `/etc/rancher/rke2`.
+1. Edit the RKE2 configuration file:
+   1. Update the `profile` field to `cis-1.23`.
+   1. Specify the path for the configuration file that you just added: `pod-security-admission-config-file: /etc/rancher/rke2/rancher-psact.yaml`.
+
+</TabItem>
+<TabItem value="K3s">
+
+Perform the following on each node in the cluster:
+
+Follow the official K3s instructions on [Upgrading Hardened Clusters from v1.24.x to v1.25.x](https://docs.k3s.io/known-issues#hardened-125), but use a [custom](./rancher-psact.yaml) Rancher PSA configuration template, instead of the configuration provided on the official K3s site.
+</TabItem>
+</Tabs>
+
+After you perform these steps, you can upgrade the cluster's Kubernetes version through the Rancher UI:
+
+1. In the upper left corner, click **☰ > Cluster Management**.
+1. Find the cluster you want to update in the **Clusters** table, and click the **⋮**.
+1. Select **Edit Config**.
+1. In the **Kubernetes Version** dropdown menu, select the version that you would like to use.
+1. Click **Save**.
+
+## Upgrading Custom Hardened Clusters to Kubernetes v1.25 or Later
+
+<Tabs groupId="k8s-distro">
+<TabItem value="RKE2" default>
+
+1. In the upper left corner, click **☰ > Cluster Management**.
+1. Find the cluster you want to update in the **Clusters** table, and click the **⋮**.
+1. Select **Edit Config**.
+1. Under **Basics > Security**, in the **CIS Profile** dropdown menu, select `cis-1.23`. 
+1. In the **Default Pod Security Admission** dropdown menu, select `rancher-restricted`.
+1. In the **Kubernetes Version** dropdown menu, select the version that you would like to use.
+1. Click **Save**.
+
+</TabItem>
+<TabItem value="K3s">
+
+1. In the upper left corner, click **☰ > Cluster Management**.
+1. Find the cluster you want to update in the **Clusters** table, and click the **⋮**.
+1. Select **Edit YAML**.
+1. Delete `PodSecurityPolicy` from `kube-apiserver-arg.enable-admission-plugins`
+1. Add this line to the `spec` field: `defaultPodSecurityAdmissionConfigurationTemplateName: rancher-restricted`
+1. Update `kubernetesVersion` to your chosen version (v1.25 or later).
+1. Click **Save**.
+
+</TabItem>
+</Tabs>

docs/getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install/install-rancher-ha.md

@@ -74,13 +74,12 @@ When setting up the Rancher Helm template, there are several options in the Helm
 | `systemDefaultRegistry` | `<REGISTRY.YOURDOMAIN.COM:PORT>` | Configure Rancher server to always pull from your private registry when provisioning clusters.  |
 | `useBundledSystemChart` | `true`                           | Configure Rancher server to use the packaged copy of Helm system charts. The [system charts](https://github.com/rancher/system-charts) repository contains all the catalog items required for features such as monitoring, logging, alerting and global DNS. These [Helm charts](https://github.com/rancher/system-charts) are located in GitHub, but since you are in an air gapped environment, using the charts that are bundled within Rancher is much easier than setting up a Git mirror. |
 
-### 3. Fetch the Cert-Manager chart 
+### 3. Fetch the Cert-Manager Chart
 
 Based on the choice your made in [2. Choose your SSL Configuration](#2-choose-your-ssl-configuration), complete one of the procedures below.
 
 #### Option A: Default Self-Signed Certificate
 
-
 By default, Rancher generates a CA and uses cert-manager to issue the certificate for access to the Rancher server interface.
 
 :::note
@@ -109,15 +108,14 @@ New in v2.6.4, cert-manager versions 1.6.2 and 1.7.1 are compatible. We recommen
 :::
 
 ```plain
-helm fetch jetstack/cert-manager --version v1.7.1
+helm fetch jetstack/cert-manager --version v1.11.0
 ```
 
-
 ##### 3. Retrieve the Cert-Manager CRDs
 
 Download the required CRD file for cert-manager:
    ```plain
-   curl -L -o cert-manager/cert-manager-crd.yaml https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.crds.yaml
+   curl -L -o cert-manager-crd.yaml https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml
    ```
 
 ### 4. Install Rancher
@@ -128,6 +126,12 @@ Copy the fetched charts to a system that has access to the Rancher server cluste
 
 Install cert-manager with the options you would like to use to install the chart. Remember to set the `image.repository` option to pull the image from your private registry. This will create a `cert-manager` directory with the Kubernetes manifest files.
 
+:::note
+
+To see options on how to customize the cert-manager install (including for cases where your cluster uses PodSecurityPolicies), see the [cert-manager docs](https://artifacthub.io/packages/helm/cert-manager/cert-manager#configuration).
+
+:::
+
 <details id="install-cert-manager">
   <summary>Click to expand</summary>
 
@@ -139,7 +143,7 @@ If you are using self-signed certificates, install cert-manager:
     kubectl create namespace cert-manager
     ```
 
-2. Create the cert-manager CustomResourceDefinitions (CRDs). 
+2. Create the cert-manager CustomResourceDefinitions (CRDs).
 
     ```plain
     kubectl apply -f cert-manager/cert-manager-crd.yaml
@@ -148,7 +152,7 @@ If you are using self-signed certificates, install cert-manager:
 3. Install cert-manager.
 
     ```plain
-    helm install cert-manager ./cert-manager-v1.7.1.tgz \
+    helm install cert-manager ./cert-manager-v1.11.0.tgz \
         --namespace cert-manager \
         --set image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/quay.io/jetstack/cert-manager-controller \
         --set webhook.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/quay.io/jetstack/cert-manager-webhook \

docs/getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install/publish-images.md

@@ -56,13 +56,6 @@ Skip this step if you are using your own certificates, or if you are terminating
 
 In a Kubernetes Install, if you elect to use the Rancher default self-signed TLS certificates, you must add the [`cert-manager`](https://artifacthub.io/packages/helm/cert-manager/cert-manager) image to `rancher-images.txt` as well.
 
-
-:::note
-
-New in v2.6.4, cert-manager versions 1.6.2 and 1.7.1 are compatible. We recommend v1.7.x because v 1.6.x will reach end-of-life on March 30, 2022.
-
-:::
-
 1.  Fetch the latest `cert-manager` Helm chart and parse the template for image details:
 
     :::note
@@ -74,7 +67,7 @@ New in v2.6.4, cert-manager versions 1.6.2 and 1.7.1 are compatible. We recommen
     ```plain
     helm repo add jetstack https://charts.jetstack.io
     helm repo update
-    helm fetch jetstack/cert-manager --version v1.7.1
+    helm fetch jetstack/cert-manager --version v1.11.0
     helm template ./cert-manager-<version>.tgz | awk '$1 ~ /image:/ {print $2}' | sed s/\"//g >> ./rancher-images.txt
     ```
 
@@ -253,7 +246,7 @@ The workstation must have Docker 18.02+ in order to support manifests, which are
    ```plain
    helm repo add jetstack https://charts.jetstack.io
    helm repo update
-   helm fetch jetstack/cert-manager --version v0.12.0
+   helm fetch jetstack/cert-manager --version v1.11.0
    helm template ./cert-manager-<version>.tgz | awk '$1 ~ /image:/ {print $2}' | sed s/\"//g >> ./rancher-images.txt
    ```
 

docs/getting-started/installation-and-upgrade/other-installation-methods/rancher-behind-an-http-proxy/install-rancher.md

@@ -30,21 +30,21 @@ kubectl create namespace cert-manager
 
 Install the CustomResourceDefinitions of cert-manager:
 
-:::note
-
-New in v2.6.4, cert-manager versions 1.6.2 and 1.7.1 are compatible. We recommend v1.7.x because v 1.6.x will reach end-of-life on March 30, 2022.
-
-:::
-
 ```
-kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.crds.yaml
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml
 ```
 
 And install it with Helm. Note that cert-manager also needs your proxy configured in case it needs to communicate with Let's Encrypt or other external certificate issuers:
 
+:::note
+
+To see options on how to customize the cert-manager install (including for cases where your cluster uses PodSecurityPolicies), see the [cert-manager docs](https://artifacthub.io/packages/helm/cert-manager/cert-manager#configuration).
+
+:::
+
 ```
 helm upgrade --install cert-manager jetstack/cert-manager \
-  --namespace cert-manager --version v1.7.1 \
+  --namespace cert-manager --version v1.11.0 \
   --set http_proxy=http://${proxy_host} \
   --set https_proxy=http://${proxy_host} \
   --set no_proxy=127.0.0.0/8\\,10.0.0.0/8\\,cattle-system.svc\\,172.16.0.0/12\\,192.168.0.0/16\\,.svc\\,.cluster.local

docs/getting-started/installation-and-upgrade/resources/upgrade-cert-manager.md

@@ -93,7 +93,7 @@ In order to upgrade cert-manager, follow these instructions:
     helm install \
       cert-manager jetstack/cert-manager \
       --namespace cert-manager \
-      --version v0.12.0
+      --version v1.11.0
     ```
 
 1. [Restore back up resources](https://cert-manager.io/docs/tutorials/backup/#restoring-resources)
@@ -125,7 +125,7 @@ Before you can perform the upgrade, you must prepare your air gapped environment
 1. Fetch the latest cert-manager chart available from the [Helm chart repository](https://artifacthub.io/packages/helm/cert-manager/cert-manager).
 
     ```plain
-    helm fetch jetstack/cert-manager --version v0.12.0
+    helm fetch jetstack/cert-manager --version v1.11.0
     ```
 
 1. Render the cert manager template with the options you would like to use to install the chart. Remember to set the `image.repository` option to pull the image from your private registry. This will create a `cert-manager` directory with the Kubernetes manifest files.
@@ -153,7 +153,7 @@ Before you can perform the upgrade, you must prepare your air gapped environment
 1. Download the required CRD file for cert-manager (old and new)
 
     ```plain
-    curl -L -o cert-manager/cert-manager-crd.yaml https://raw.githubusercontent.com/cert-manager/cert-manager/release-0.12/deploy/manifests/00-crds.yaml
+    curl -L -o cert-manager-crd.yaml https://raw.githubusercontent.com/cert-manager/cert-manager/release-0.12/deploy/manifests/00-crds.yaml
     curl -L -o cert-manager/cert-manager-crd-old.yaml https://raw.githubusercontent.com/cert-manager/cert-manager/release-X.Y/deploy/manifests/00-crds.yaml
     ```
 

docs/getting-started/quick-start-guides/deploy-rancher-manager/helm-cli.md

@@ -92,12 +92,18 @@ Once edited, either press `ctrl+s` or go to `File > Save` to save your work.
 
 Then from your local workstation, run the following commands. You will need to have [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) and [helm.](https://helm.sh/docs/intro/install/) installed.
 
+:::note
+
+To see options on how to customize the cert-manager install (including for cases where your cluster uses PodSecurityPolicies), see the [cert-manager docs](https://artifacthub.io/packages/helm/cert-manager/cert-manager#configuration).
+
+:::
+
 ```
 helm repo add rancher-latest https://releases.rancher.com/server-charts/latest
 
 kubectl create namespace cattle-system
 
-kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.crds.yaml
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml
 
 helm repo add jetstack https://charts.jetstack.io
 
@@ -106,13 +112,13 @@ helm repo update
 helm install cert-manager jetstack/cert-manager \
   --namespace cert-manager \
   --create-namespace \
-  --version v1.7.1
+  --version v1.11.0
 
 # Windows Powershell
 helm install cert-manager jetstack/cert-manager `
   --namespace cert-manager `
   --create-namespace `
-  --version v1.7.1
+  --version v1.11.0
 ```
 
 The final command to install Rancher is below. The command requires a domain name that forwards traffic to the Linux machine. For the sake of simplicity in this tutorial, you can use a fake domain name to create your proof-of-concept. An example of a fake domain name would be `<IP_OF_LINUX_NODE>.sslip.io`.

docs/how-to-guides/advanced-user-guides/cis-scan-guides/install-rancher-cis-benchmark.md

@@ -8,4 +8,10 @@ title: Install Rancher CIS Benchmark
 1. Click **CIS Benchmark**
 1. Click **Install**.
 
-**Result:** The CIS scan application is deployed on the Kubernetes cluster.
+**Result:** The CIS scan application is deployed on the Kubernetes cluster.
+
+:::note
+
+CIS Benchmark 4.0.0 and above have PSPs disabled by default. To install CIS Benchmark on a hardened cluster, set `golbal.psp.enabled` to `true` in the values before installing the chart.
+
+:::